bobbyb1980

Hey guys. For like the past week or two I've been addicted to metasploit. At work we have a network of over 50 machines (I'm the unofficial tech guy) and I've been setting up a bunch of browser exploits, like the java applet attack and the aurora module and getting meterpreter shells - tons of fun! I also get a free pass to play around with spear phishing which is tons of fun and actually works! I have a few questions for those of you more experienced in metasploit. After compromising one machine (over the internet) what I like to do is add that route to msfconsole so I can further explore the LAN from the internet. The logical next step, for me at least, is to map the network and then go after the router/switch. I'll see what kind it is, try to enumerate snmp info, search for known exploits, etc. I haven't done it yet but I'd like to try to bruteforce/dictionary attack the router via the compromised machine. The problem is I only have axx to a shell, the cli. Does anyone know any ways I can run hydra or a similar program form the cli? I don't know much about this stuff in Windows and it seems everything is GUI. Or perhaps there is a module within metasploit that I can use to do this? My next question is about managing meterpreter shells. I'm using metasploit framework the free version and not the pro version. I have a dedicated server running a listener. I would like to know how I can setup the server with say a java applet attack, the victim goes there and I then get a meterpreter shell. The problem is that if I close this instance of the listener, the shell goes and doesn't come back. Does anyone know of any ways to manage meterpreter shells while being able to connect/disconnect at will (not background it)? I hope this all makes sense.

I'm doing this right now. I have no physical access to the machine I want to install Ubuntu on and it's over the net. For an Ubuntu install over the internet the target machine needs to already have Ubuntu installed, have debootstrap working, already have SSH up and running and the disks need to be partitioned accordingly (before the install) for file transfers and actual os install. The remote partitioning is the tough part as you need to have the disk up while it's partitioning and if something happens there and the disk goes not much you can do.

Since you mention exact software brands several times every paragraph I'm going to guess this is some advertisement for that Prey software. You could have used metasploit to do the exact same things plus more in a fraction of the time.

Wow... a 50% success rate is really good. I assume you're using only English dictionaries and therefore crack only English passwords? Also, can you recommend a way to verify the integrity of handshakes? I've tried to use besside-ng to capture WPA handshakes, and I'm not sure if I need all 4 of the eapol packets or if it's crackable with only one. I've tried to use I think it was cowpatty to verify them, and I've had cowpatty tell me that handshakes I've already cracked are no good. Are you handshakes somehow verified before payment is made?

What is your success rate? What languages are your dictionaries in? You using custom dictionaries or the public ones? Numbers and letter combined? Do you offer to run the .cap file against smaller dictionaries like gpuhash for no charge?

Hello all. I was wondering if anyone knew of any good places to rent machines from? Machines that I could experiment with via telnet or ssh? I know absolutely nothing about this stuff but it seems 10 times cheaper to do it this way instead of actually buying the machines. Thanks guys.

I've had good results from my EEE.

I'd say the best pentester is the one who designs their own exploits, but programming is really a field in its own and I don't think it can be compared/put in the same ballpark as security.

If you have a firm handle on metasploit and backtrack I'd say that's a huge part, if not all, of being a pen-tester right there. If instead of using metasploit you'd rather write exploits for metasploit, then you need to become a programmer, which is very different than someone who does pentesting.

If you're looking for a quick meterpreter shell you need to be more surgical. A Windows SP3 box w/antivirus shouldn't be vulnerable to db_autopwn.

Hello. After successfully getting 3g ICS setup I thought I'd share how I got it done. The goal is to share 3G via a 3G USB Modem to the router (pineapple) who then goes on to give that internet via wifi to other victims. A rouge 3G AP. The victim will connect to the pineapple via wifi. The pineapple will be connected via ethernet to the attacking machine, where a 3G modem is connected that will give internet. Hopefully this makes sense. (ppp0) Internet 3G >---< (eth1) attacking machine >---< pineapple >---< victim I will also assume that internet/3g is already working as that can be a handful. ATTACKING MACHINE OS - Ubuntu 10.04 IP - 192.168.0.2 (eth0) 172.20.0.178 (ppp0) DNS - 1.1.1.1 2.2.2.2 PINEAPPLE IP - 192.168.0.1 (br-lan) GW - 192.168.0.2 DNS - 1.1.1.1 2.2.2.2 VICTIM IP - 192.168.0.249 GW - 192.168.0.2 DNS - 1.1.1.1 2.2.2.2 STEP ONE - PREPARE ATTACK MACHINE Before we connect the pineapple, first we must find DNS info from the internet facing interface. This can be done by issuing: cat /etc/resolv.conf. Make note of these servers, as they will be necessary. Once internet is confirmed working, the Pineapple will then be connected. A. SET IPTABLES I haven't played around with the exact iptables configurations myself yet as Firestarter (sudo apt-get install firestarter) does the trick fine. It's point and click and pretty easy to follow, just check "Enable Internet Connection Sharing" and tell it what interfaces to bridge and it will do it. I am bridging ppp0 to eth0. B. SSH INTO PINEAPPLE Almost all of the configurations will be made via command line (it's possible to use openwrt and other guis to config this but not as reliable either). ssh 192.168.0.1 -l root STEP TWO - PREPARE PINEAPPLE The pineapple should be up. It should be able to speak to the internet but no DNS. So we'll set the DNS servers by first navigating to the /etc directory. Then issue: nano /etc/resolv.conf. Nano is my favorite txt editor because it's simple and easy to use, so I'll assume you can figure it out. We want to make the file (/etc/resolv.conf) look like this: nameserver 1.1.1.1 nameserver 2.2.2.2 Then save the file (CTRL-X) and exit. The pineapple should be able to ping google.com, verify that. Once verified we need to edit /etc/config/dhcp.conf so that when victims connect they get the right DHCP info. The /etc/config/dhcp.conf file should look like this: config 'dnsmasq' option 'domainneeded' '1' option 'boguspriv' '1' option 'filterwin2k' '0' option 'localise_queries' '1' option 'local' '/lan/' option 'domain' 'lan' option 'expandhosts' '1' option 'nonegcache' '0' option 'authoritative' '1' option 'readethers' '1' option 'leasefile' '/tmp/dhcp.leases' option 'resolvfile' '/tmp/resolv.conf.auto' config 'dhcp' 'lan' option 'interface' 'lan' option 'start' '100' option 'limit' '150' option 'leasetime' '720m' list 'dhcp_option' '3,192.168.0.2' ###### this is the IP of the attacking machine list 'dhcp_option' '6,192.168.0.1,1.1.1.1,2.2.2.2'###### this is the IP of the pineapple, then the DNS servers from ppp0 on the attacking machine option 'ignore' '0' config 'dhcp' 'wan' option 'interface' 'wan' option 'start' '100' option 'limit' '150' option 'leasetime' '720m' option 'ignore' '1' config 'host' option 'ip' '192.168.0.2' ###### this is the ip of the attacking machine STEP THREE - START KARMA (via web interface 192.168.0.1:1471) The is pretty much the meat and potatoes of things. You should now be bale to connect a victim to the Pineapple and the victim can access the 3g internet via wifi. Now is the fun part. Here you can use SSLStrip + Iptables to reroute traffic and sniff it. Personally I don't like this attack as SSLStrip can be kind of obvious to the victim (it's slow plus no SSL). I prefer to DNS Spoof to a malicious java applet for a meterpreter session. Or you can rickroll the pineapple to to a page with a malicious java applet for a meterpreter session also. Then pretty much anyone who connects will be pwned, and if you have karma running that can be a lot of people. Of course just as a proof of concept.

Did you verify you have all the dependencies installed? Is metasploit updated? Are you running metasploit globally?

You need to find out where the break is. Try to ping the router from the victim machine, then try to ping eth0 on the attacking machine, then wlan0, and so on. IE if you can ping 8.8.8.8 successfully but cannot ping google.com, it's a DNS problem. If you can ping eth0 (I assume thats 10.110.0.1) of the attacking machine but not wlan0 of the attacking machine it's a problem in the bridging (probably something in iptables). Be more specific with your problem.

Gargoyle.

Lol I use the same method to flash my open mesh as I do all my routers, only thing different should be the files but you still should be able to flash it with ddwrt until he releases the final ones. Yes, check your arp tables to try to find the IP of the router. If you don't know how to do that, I know a place where you can learn. It's a wonderful magnificent place filled with information of all types and you will get an answer there MUCH faster than you'll get an answer here. This place is called google and you can arrive there by typing www.google.com in your browser. May the force be with you.

If you can't ping your router after a reflash it may be bricked. You might want to describe how your flashing it though because (in detail, for example mine would not flash correctly if my wifi interface was connected at the same time) you may not be flashing it properly. Try in windows and ubuntu. Check your arp-tables and use nmap to see if you can find the router's ip, sometimes after flashes it can be crazy numbers. Why would you need to send back a router that you yourself messed up?

I had a very similar problem in my pineapple (v2), maybe it will work for the different hardware. When I changed the SSID in the webif interface (gui, I guess it would be ddwrt for the new pineapple), it usually wouldn't work. It would reboot and continue broadcasting the old SSID. What I had to do was manually edit the /etc/config/wireless file in the router (via ssh) and manually change the ssid name in the line "option ssid pineapple". Then, usually after a reboot it would broadcast the correct SSID. In regards to Karma, sometimes it would not start because there was no ath0 interface on the router (I think it was ath0, it will probably be different on the ap51). There is a script to create the ath0 interface (it's in the jasager package, I think it was also written into the gui) and after I created the interface it would always work (even though I never fully got the whitelist/blacklist function working).

Just buy an open mesh and flash it with gargoyle and configure it for ICS, IMO this setup is very stable and capable of everything the Pineapple does minus Karma, and Karma still needs a lot of work.

Looks like just another attempt to segregate the western internet from the rest of the world. To my understanding, they want to delete DNS entries of questionable sites from other nations that supposedly violate copyright or freedom of speech laws and even go as far as DDOS attacks against them. But what would happen if those other nations started deleting American sites from their ISP's DNS servers? Just seems like it's a 2 way street, while it wouldn't be in their best interests, they could always delete facebook, bank of america, etc. DNS entries and we wouldn't be able to do much about it. It's also weird to think that China has the largest internet population yet I couldn't tell you the name of the popular Chinese search engine, social networking, etc. These cyber war fear mongers are going to jump out of their business suits when the Chinese start releasing stuff in English. I think they should just let the internet evolve naturally and forget this non existent "cyber war" nonsense.

My pineapple V2 does everything that the V3 advertises. Looks like the only difference is a web interface for editing files on the router.

Metasploit is probably the easiest way, setup a java applet attack on the LAN and viola. Then once you have a meterpreter session you install the keylogger from a hidden installer (almost all the mainstream ones offer hidden installers). Then you use meterpreter keyscan as a backup keylogger in case the antivirus catches the other one, run persistence and metsvc to maintain access, and you pwned the pc without ever having to touch it. Then delete your tracks. Much easier/cleaner/reliable/stealthy than simply installing a keylogger. In my experience, when you ask a question in hak5 9 times out of 10 metasploit will be the answer.

Or forget about the client and look for weaknesses in the router/switch. Same for whatever server is running. Or use a lantap to view the traffic between the client and the router. You also never said anything about dos attacks, so you could do that too to try to squeeze the dinner.

There has to be ways to get a shellcode payload on the computer and execute it, whether it be with a java applet attack, sending it through email, getting it on a locally mapped drive or whatever. As long as the browser can run java it should work. If you were on the LAN with another machine listening there would be no need to go outside the firewall either and between arp spoofing, dns/dhcp spoofing, the millions of msf options, something should do the trick that will get you free lunch.

Yeah I know, I'm a huge SET fan. Just thought this guys program could kind of pentest to try to prevent the Java applet attack, but then again short of installing no script in your browser how can you even stop the java applet attack?

This thought crossed my mind this morning also. You should add a Javascript prompt to prompt the user to run a Java application as part of the test. I think that in the wild this type of attack is much more destructive and common than simple phishing ones.