bobbyb1980

Finally got around to playing around with this idea on the pineapple and it seems to work. I'm using an open mesh though and not the new one. All I had to do was edit /etc/config/dhcp to the standard ICS format, set addresses, subnet, etc etc. The one that we all use as stock ICS. Except on the default form it has 2 options for DNS, the local openmesh router address and 8.8.8.8. I then changed that to a remote address that was running digininja's DNS MiTM module and it works well. IMO a lot less resource intensive than using arp based attacks. I also tried the fake dns server ms module but I prefer digininja's as u can edit individual responses. Since this setup is an open mesh w/EEE as attacking machine my resources are limited. However in theory one could host digininja's DNS MiTM module from the mkIV and edit individual DNS responses to say facebook.com, and gmail.com. I just wonder if a little router, even the mk4, is capable of functionally operating this DNS server + whatever else it's using. I personally had an open mesh w/ICS setup. The open mesh gave normal DHCP leases except pointing a remote DNS server. The DNS server only has one edited entry forwarding all google responses to the same address which is apache running w/a java attack. I also found a few routers that are vulnerable to this attack (changing DNS server). In conclusion, DNS = pwnage : )

Be sure to enable IP forwarding and set the masquerading rule in ip tables. When connecting to the internet from ur attacking machine, use wicd instead of network manager for the wlan interface and use ifconfig to manually give an IP to eth0. At least on my version of Ubuntu network manager doesn't really handle 2 connections simultaneously.

What helped me get a good understanding was reading the tutorials Darren wrote. Start off with the one about flashing the pineapple, flash it, and get a good understanding of each step along the way. Then move on to the Rickrolling tutorial and get a good understanding of that. Then setup ICS. Then move on to the phishing tutorial (I mean do all of this manually). I'm far from an expert myself, but once I was able to do all of these things without reading the tutorials (ie set them up fast) it started to let me understand how it works, then you'll be able to start to customize your attacks when you combine it with your knowledge of metasploit or if you script.

Although I've never done it personally, I've read several articles about people who want to accomplish the same net result (GUI) but instead use VNC and SSH to accomplish it. They used the metasploit VNC payloads and got the victim to vnc out via SSH to a remote server. The attacker then connects to the same server and I believe this eliminates the need to port forward. Or something like that : P

I actually started another thread that touches on this subject. As mentioned in the other thread, many routers come with DNS servers hardcoded into the firmware, so for this attack to work you'll have to find one that doesn't (you should be able to edit /etc/resolv.conf on the pineapple to do this). It sounds like you'd want to reroute traffic to a page that will somehow get you a meterpreter shell, be it java applet attack or browser exploit etc. Once you get an open meterpreter shell carrying out your attack should be fairly painless from here, but getting axx to RDP especially from over the internet may be quite difficult without having the respective ports forwarded.

Considering the amount of airport's and military installations in the immediate Bay Area they're going to have a hard time delivering to a lot of areas.

I always go through and demonstrate to what few clients I have how they can get pwn'd in the wild. I can't just say 'you're info isn't secure because telnet/smtp was listening publicly, now pay me'.

Hey guys. What happened was, I was referred a client and all I had was their Skype info. Usually I'd just get them to click a link (trying to change my game a little) but I first sent them a file with some details of how I work, and in turn I got their IP. I scanned the IP to find SMTP was enabled w/a public community string and telnet was listening w/a default password. If I could just slide my DNS server in there I could have complete pwnage without any interaction and I'd just say look bud, you're a sitting duck, here's what we're going to do, get paid, move on and repeat : ) Unfortunately this router wasn't vulnerable to this type of attack. I try to use ARP attacks as a last resort, they're easily detectable, you need to be inside (which I'm not) and they're easily stopped. My goal for this job isn't to gain complete axx to their network either, there are certain sites this company uses and by simply phishing pw's I would be able to demonstrate a potential financial loss much greater than the value of any data they may or may not have sitting around.

Well that's no fun. I assume that if the router's firmware has vulnerabilities then it would be possible to extract the firmware and change it from there? I'm going to try this on the pineapple also, hopefully it works, will report results.

Hey guys, quick question on how DNS works. I am trying to demonstrate an attack for a client that if a router can be compromised, then in theory the entire connection and anyone using it is also compromised. I can get into a router, and change the DNS server to my own DNS server. The problem is that sometimes it works, sometimes it doesn't. My question is, is where does the router get it's DNS info from? I imagine that when the router receives an IP over the WAN via DHCP then the ISP's DNS servers are included in it? Some routers seem to not care about this, other routers seem to always go with the ISP DNS. Any ideas?

This method of phishing was giving me mixed results also. I got better results when I just spoofed the DNS to different addresses and ports running credential harvesting pages. Just out of curiosity which browsers was this not working for?

The router that was being used actually had the telnet, snmp, and ftp ports open w/a default password and logging was disabled but I checked my DNS servers and they seem to be legit and luckily no real damage seemed to be done. This machine/person was scanning ports in the 20000 range, maybe 100 or so, and all I could get from the firewall was that they were ICMP. To my understanding ICMP can be used to reroute traffic so someone could sniff from over there internet? Anyone with any theories as to what was going on? Ironic part is, I scanned the ip that was scanning me and it has no admin pw w/telnet and remote http enabled...

Hey guys, I saw a strange IP port scanning me last night and this new office has a new router fresh from the ISP. It was unsecured during the scanning and now I want to secure it against attacks from the internet and here's what I've done and please let me know what more I can do. Disable Telnet. Disable http remote admin Disable ftp remote admin Change default password Verify DNS integrity Disable SNMP Change SNMP community string And what else?

Here's what I have so far. This is my first program so no laughing. I'm only going to post the code that I've written that searches files for MAC's and IP's as the other parts aren't relevant to this question. If you see a way to do this by piping outputs and searching them from there please let me know! import os import re ########### ##FUNCTIONS ########### print('=' * 80) print('-' * 80) print("THIS IS A SIMPLE MODULE TO SEARCH A FILE FOR A MAC OR IP") print("AND THEN PUTS THOSE MACS IN A TXT FILE FOR FURTHER ANALYSIS") print("TO CONTINUE, SELECT 1 TO ID MAC OR 2 TO ID IP") print('-' * 80) print('=' * 80) choice = int(raw_input('1/2?')) #Choice for menu # os.system('ifconfig > ifconfig_1.txt') #Run ifconfig and output to said file # macfind = open('ifconfig_1.txt', 'r') #File Object # output_1 = file('output.txt', 'w') list_macfind = list(macfind) #Convert file to iterable # searchmac_string = '([a-fA-F0-9]{2}[:|\-]){5}[a-fA-F0-9]{2}' searchip_string = r"(%s)" % ("\.".join(['(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)']*4)) #Search string for mac and ip # if choice == 1: for x in list_macfind: a = re.compile(searchmac_string).search(x) # declare variable to if if a: print >> output_1, x[a.start():a.end()] # put addys in txt for further analysis print x[a.start():a.end()] # display macs found os.system('rm ifconfig_1.txt') # delete file deauth_file = open('output.txt', 'r') # opens previous output file if choice == 2: ips = [] for y in list_macfind: b = re.compile(searchip_string).search(y) if b: ips.append(B) print y[b.start():b.end()] os.system('rm ifconfig_1.txt')

Hey guys. I am currently trying to write a program in Python that analizes a ifconfig output and gives further options for changing MAC, changing IP, loading the contents into airmon-ng, etc. Currently what I do is import os and use that module to run "ifconfig > ifconfig.txt". Once I have ifconfig.txt confirmed I open that file then use the "re" module to compile it and search it for string of IP or MAC addys or whatever. This technique is effective but I believe there are more... pythonic ways of doing this as this way requires 2 output files, one for the original ifconfig.txt command and another for the results of the search. Or at least my book leads me to believe that. I have been heavily researching the "subprocess" module. I have successfully been able to import subprocess and use subprocess to execute "ifconfig" (by piping it to STDOUT) and then I can call process.communicate() to view the output in a human friendly version. The problem is that the output appears as a tuple but is not iterable, ie I can't search it for MAC addy's or IP's. I have tried doing "list(process.communicate())" and assigning it a variable but that also generates errors. I've looked at the code for similar python programs and there are people who have sucessfully done this and I imagine it's pretty common but I am not familiar with the concepts/code being use to do. Several other programs use the "cmd" module to run the command but the code I have seen appears obfuscated (to me at least) past that. Will I be forever writing to files for output or is their a cleaner way to do this? Thanks fellas.

Found an answer. It can be a hassle upgrading 2.6 to 3.x via the shell terminal, but I found that you can just install the 3.1 IDLE via the repos along with other versions.

Thanks for the link Infiltrator. Looks like what you're trying to do is highly possible, just maybe not w/SET.

For what it's worth, some 3G USB modems won't be able to mode switch on Ubuntu. However if you open up a windows virtual machine and attach the USB device to the virtual machine and run the driver from windows, then attach it back to the host the mode should be switched and it should be able to connect to a 3g network.

Yeah but how would he run 2 or more instances of Apache (presumably using the same config file) on different ports?

I've heard of running two instances of Apache of different ports but don't have much personal experience with it, I'm sure if you google it'll turn something up. Otherwise you could try to run one instance of the Apache server on port 80 and go into set_config and run the python server on a different port. Or you could try to host all the spoofed sites on the same server but in different directories, so you can point to each of them as if they were their own.

Sorry for snapping at you digi : ( Mr. P, I know it doesn't sound very practical but I'm currently in the process of writing a python program to guard a wifi connection against AP impersonation style attacks. I am hoping to have it finished by the end of the month. It will need a dedicated interface to listen on, and will deauth anything it doesn't like. I'm about 20% done writing that function, I already wrote one that analizes an AP via airodump for new/unknown clients and deauths anyone that connects to your AP via aireplay-ng. I figure if you're using your own AP there should be no reason that anyone else is connecting to it. I took the idea from I think it was Kennedy's program that blacklists anything that touches a port and applying that same concept to the lower layers.

I think it's an interesting situation. On the one hand if every kid went around trying to break into networks in the name of the greater security good, then we would have extremely insecure networks with constant threats. On the flip side of that coin, if no one ever tried to engage networks to test security then we would have extremely insecure networks. Networks are inherently insecure and everyone knows that, I don't think we need a kid to prove that. This is obviously a question of ethics with no right/wrong answer, I just think it depends on the situation. From what I understand the kid presented the security vulnerability in a somewhat professional fashion, as professional as a high school kid can be at least. I think it's good for people to do this, but in a manner where they don't undermine anyone's authority. I think the kid should be warned, it was nice of him to find the vulnerability, but there are people who are paid to do that. He should be made to understand his job is to read books and be a student and not break into networks.

First off, I didn't ask him to do anything. Secondly, if someone is trying to monitor me (which they usually do for malicious purposes) I'm not going to sit by idle and wait for the police to come to my rescue, and in the meantime hope they don't get my bank acct/email/facebook credentials. If I personally called my local police station and said "someone is sniffing my traffic" they'd probably say "well I hope it doesn't smell bad!" Thirdly, especially if someone is trying to steal my wifi (never happened), I'm not going to sit by and watch them. Like we've both mentioned though, if you're not doing anything wrong, you have nothing to worry about, but we always need to know how to handle threats that are growing increasingly common.

If you think you're being watched locally, then scan all client/AP MAC's in your area. Find out what those MAC's are doing, sniff their traffic, go outside, look around, etc. If you think someone is monitoring your traffic from over the internet, give them something to monitor and watch and see what happens. Try to get the IP that is (assumed) passively sniffing your IP then do it right back to them. Of course, if you're not doing anything wrong then there should be nothing to worry about. However with so many jr. wifi warriors running around these days it never hurts to take some extra measures to prevent yourself from becoming a victim of phishing or java attacks or whatever it may be. Sometimes it makes me : ( to see that the main focus of our technologies are becoming on security based on paranoia. If it keeps going like this in another 5 or 10 years the internet will be like a maximum security prison.

Hey guys. I keep running into a brick wall searching for information on how to get Python 3.0 on Ubuntu 10.04 or 11. I am looking for a fairly simple way of doing this, I know I can do a make and make build but I don't want to risk loosing anything on this machine as I need it. Any ideas?