telot
-
Posts
803 -
Joined
-
Last visited
-
Days Won
12
Posts posted by telot
-
-
Hey guys thank you for your input and for those insightful links. Let me first answer the question of the budget for the project and then I will give a little bit of the background story behind my idea of running this many VM's. So there is no real budget for this project because it is a proof of concept, the idea is to find the cheapest way of being able to run so many machines 24/7 for at least six months. So how did this idea come to be? Well A very good friend of mine was looking into hosting various events such as tournaments for games, motivational speaking, security talks and countless many other events and he thought it would be a good idea to stream them live over one of the so many sites available. So me being me and arriving at a very similar conclusion to Brian Brushwood's, the guest on this week's episode, that if "other people are watching" more and more will follow. Which by the way was so funny when I watched the last episode on Saturday morning. I was like yeah I have been saying this for a while and have tried, on several occasions to prove this theory in a real world scenario. So this is the next evolution of the concept ported over for a technology driven world. Anyways So when my friend and I discussed this he agreed and asked if there was anyway to generate views. Immediately I had the idea about the virtual machines. As previously stated each VM has to be running its own instance of Tor and has to be able to navigate to the URL (I also want to have all of this automated so all one has to do is start the machines). Please feel free to improve on the idea, maybe you have not had the best experience with Tor and want to recommend other free open source products, or maybe you have an idea for what OS to run. Yet still maybe you can come up with the best way to automate these tasks; in short what do you guys think, are there better ways to achieve this, or am I out of my mind? I also would like to incorporate that concept of crowd sourcing using Facebook and other social media to generate momentum but that is for another day.
Again thank you for your responses and for allowing me to pick at your brains...
So let me get this straight - this server with 100s to 1000s of VMs is going to artificially inflate social presence on a website/forum/blog/whatever in order to increase interest, or "trend" a specific idea to the mass public? If I'm correct, I think this is a great idea and will really expose holes in the social nature of the web (just like that annoying hair guy on this weeks ep, like you said...god I hate his hair). Screw proof of concept, you could easily market this to SEO and other internet marketing sites...captcha would be the only hurdle to automating this process in my mind, but theres a number of workarounds by the looks of it (just did a quick google search, I've never had any experience using the techniques however). As for the chrome private browsing vs tor - I would combine a number of different routes to anonymizing the traffic - that way all the traffic isn't generated by just one type of browser, as 100% chrome usage is not common on the internet and would be a red flag to any admin looking at traffic. So you could have some chrome private browsing, some firefoxing tor and maybe even some i2p to switch it up a bit. Keep us updated on your progress please, I'm very interested to see how far this can go!
telot
-
ok my bad i forgot it has an Ethernet chip and a WiFi chip but im not sure why my ap51 keeps shutting down and everyone else's don't
Do you have a massive amount of dust or gunk built up mreidiv? I find it unlikely, but since it hasn't been mentioned yet, it's probably worth a shot to fire up an aircompressor and blast the little fruit. Personally I live in the arctic (not really, but its f-ing cold) and my pentest lab is in the basement (where its really f-ing cold) so I have had zero heat problems. Whats your environment like?
Besides that, I'd start hacking the thing apart and adding a small fan like the others were saying. By going off just the pictures, its looks like you may be able to pull power directly off the barrel plug on the underside of the board. Grab a 5 dollar voltmeter from home depot or whatever and let us know how it goes!
telot
-
A good script, I just don't see why the pineapple isn't used to deauth clients. That eliminates the requirement for an extra wifi card.
http://forums.hak5.org/index.php?showtopic=24637&st=0&gopid=193205entry193205
Seb please see the ^above^ thread on why I've gone with the alfa realtek usb instead of using the on-pineapple atheros to deauth. The current gui deauthing is broken, and I've found little to no documentation on how the pineapple is doing its Jasegar thing (karma) - such as what mon.wlan0's function is and if its possible to deauth while still simultaneusly serving up karma to victims(I'm going to try and test this today or tomorrow). Wish me luck, but any documentation/help would be greatly appreciated! Thanks and glad you guys enjoy the script! Theres more to come I'm sure!
telot
-
Telot, awesome post...
Unless we are interested in being laser focused (/me queues the sharks with freakin' laser beams attached to their heads) with aireplay, why not add airdrop-ng to the WEB-GUI so we can just use our death stars tractor beam and bring in everything thats around...
Snippet of code from Darren:
touch deauth.conf
nano deauth.conf
a/00:00:00:00:00:00|any <-- mac of our AP51 AP
d/any|any
airdrop-ng -i mon0 -t cap-01.csv -r deauth.conf
My question still remains, from another thread, how can the pineapple keep providing internet to existing clients that you are p0wning, if you start deauthing from the web-gui and the pineapples wireless adapter? Isn't a better solution, so that timing and preventing exisiting clients from being disconnected, to use an ALFA USB and a tool running on our laptop?
Unless the answer to my question, is that you can have clients connect plus do mass deauth all from the pineapple without interruptions then I think it's best to have a 2nd wireless adapter for deauthing,
I'm trying to find that out right now Diggler! I've been hoping Seb or someone would chime in with a definitive answer, but we'll/I'll just have to test it out ourselves! First things first is what function mon.wlan0 is performing to the Jasegar portion of the pineapple - and can you use that already-in-monitor-mode adapter to airodump and deauth all while still serving up karma to your victims...I'll report back here with my findings.
telot
-
Short Answer: crontab
Long Answer: You could add a crontab to have it start automatically but it may not reflect that on the web-gui for the pineapple if started that way. I'm not sure how it is identifying that it is enabled or not with feedback or just guessing because you clicked "Enable" and it just says it's active without feedback.
crontab crontab [-c DIR] [-u USER] [-ler]|[FILE] -c Crontab directory -u User -l List crontab -e Edit crontab -r Delete crontab FILE Replace crontab by FILE ('-': stdin)The gui is of little to no concern for me, but I will let you know how it reacts once I do my trial and error with crontab -e
Thanks again Mr. Protocol
telot
-
Quick version: How to I autorun karma on the pineapple at bootup, or after a certain amount of time after power on?
Long version:
My dream for the pineapple is to have a tiny computer that has 2 usb ports and an ethernet port (read: raspberrypi.org). I'll have a pineapple connected via ethernet, a alfa realtek usb wifi adapter connected to one usb and another brandX wifi dongle connected to the other usb. Upon bootup of backtrack, brandX wifi will begin iwlist scanning for nearby open wifi hotspots and autoconnect. At that time LED1 connected to the GPIO headers on the r-pi will steady burn green. After that is accomplished, the r-pi will run my 1scripttorulethemall.sh (see telot.org) and autoconfigure ICS to the pineapple. At that point LED2 will light up green. Continuing on, the script then will turn on monitor mode on the alfa, airodump nearby wifi hotspots and do a targeted aireplay -0 30 -a -c to all clients associated to the hotspot the pineapple is connected to, then run a airdrop for all other AP's, minus the pineapples.
Heres my scenario: I walk in to a coffee shop and reach into my bag and flick the power switch on my "Raspberry Pineapple". It autoconnects to "coffee_wifi" on the r-pi's wlan0, changes the karma'd ESSID to "coffee-wifi", starts karma, kicks off all clients of "coffee_wifi" except the raspberry pineapple, kicks off all clients on any other AP's, continues to hammer "coffee_wifi" with deauths, and tcpdumps all the "victim" traffic on eth0 to the SDcard on the r-pi. I don't have to open up a laptop, look suspicious running backtrack in a coffee shop, or really do anything at all. Just sit there and sip coffee. Nasty huh?
So I'm researching how to do a script that iwlist scan's nearby AP's and autoconnects then takes that ESSID and puts it into the karma config with a slight modification. This is just so if people don't have an open AP saved in their computers, they're still duped into connecting to my raspberry pineapple. But to do any of this, I need to know how to autostart karma after a period of time, without clicking anything, so that my r-pi has enough time to scan and connect and modify the karma configuration to the appropriate name.
tl;dr - how do I autorun /www/pineapple/startkarma.sh after X seconds?
Thanks!
telot
-
Finally! The holidays are over, wifey is at work, and I have the day off. Please note that this is the first real script I've ever written, so I'm sure there is plenty of room for optimization and whatnot. Please share your opinions, as I'm anxious to learn more.
Anyways, here is what it does in a nutshell:
It starts up your internet-facing wlan0 and connects to it to your access point (in my case, my smartphones hotspot). Then it configures the internet connection sharing to the pineapple (basically it runs through wp3.sh with all default settings). THEN it will start wiresharking on eth0 and writes the output to the desktop. THEN it puts my alfa realtek usb card into monitor mode and begins airodumping all nearby access points. 20 seconds later it starts deauthing (via airdrop) everyone but my cellphone hotspot and my pineapple. One script to rule them all. And you can find it on my very crappy, but ad-free website, telot.org
Enjoy friends!
telot
-
Not sure about "advertised" running them all at the same time for 2 hours plus. That's like saying a Pentium II can "multitask" and you run multiple high demand programs on it and wonder why it over heats.
But i'll tell you what I can do. I will fire mine up and let it run for a while and then check the uptime, while running Karma, dnsspoof and urlsnarf. The only thing that I can't setup right now is the IP forwarding and clients. But if nothing else we can get a baseline to see if just running the tools overheats it.
Update: With Karma, URLSnart, DNSSpoof, and ngrep running it only is using about 15% CPU on the AP51. with 25896K used memory which leaves 3868K free.
My guess is when you run these tools they are eating up the RAM which may cause it to reboot, or the heat in combination with. I'll update again after it's been running for a few hours.
Mr. Protocol, i<3u
telot
-
Mr-protocol : what is the best method for starting up mk3 ?
I meant when open the pcc by default all modules are disable.
My first step : enable airmon at left hand corner
2nd step : enable karma
3rd step : enable url-snarf
4th step : enable ngrep
Is this the correct step for starting up MK3 for the first time ?
If yes, why when i enable karma (2nd step) airmon suddenly disable ? Is it normal ?
Thanks
Theres no need to enable airmon-ng on the pineapple. It is currently broken. See my post on the subject for details (if you want to know waaaaay too much about it...). Here is the link: http://forums.hak5.org/index.php?showtopic=24637&st=0&p=191926&fromsearch=1entry191926
Seb (the firmware dev for the mark3) says he is working on a solution for the next release. Hopefully this will be full of awesomeness. We're all rooting for you Seb!
telot
-
After doing my first round of tests, I'm going to have to agree with you hak5superfan. There does seem to be an issue in a default setup of windows7 that prevents it from sending out probe requests for unsecured wifi spots UNLESS the user clicks on the box that says "Connect even if the network is not broadcasting its name (SSID)". This is very odd and VERY unfortunate. While win7 machines are not yet the average wifi device you see in airports/coffee shops, its still quite disconcerting to see that the latest and greatest flavor of the most popular PC operating system seems to be relatively immune to the pineapples "yes man" attacks. I should preface these statements with the fact I mentioned above, that my lenovo with the "Lenovo Connection Assistant" does work without clicking on that setting, as long as there are no remembered Secure wifi hotspots around (lenovo automatically places priority on security-ladden wifi over unsecured). Since most manufacturers do like lenovo and put their "value-add" bloatware onto their windows pc's and the majority of users do not uninstall it, I believe further testing is needed to rule out other PC manufacturers. Perhaps we can start a list of what devices are easily pineapple'd and which are not? Thanks for bringing this to my attention superfan - maybe the dev's can chime in and give their thoughts?
telot
-
Hey Telot!
Well I have tried everything and I am having the same problem. First of all, my current firmware version is 1.9 and 2 of my computers are Windows 7 Home Premium and my third computer is Windows 7 Ultimate. I have tested the Pineapple starting my computers from cold boot to no success. I have deleted all the saved networks and only added an open network called test. When I create this network manually, if I only choose the option "Connect automatically when this network is in range", the computer would not detect or connect to the test network. The only network I am able to see is the internet network created by the Pineapple when Karma is activated. On the other hand if I choose also the option "Connect even if the network is not broadcasting its name (SSID)", then the computer in that case detects the test network and automatically connects to it. This happens for all my 3 laptops. What I don't understand is how am I supposed to get other people to connect automatically to my Wifi Pineapple if they don't have the "Connect even if the network is not broadcasting its name (SSID)" option selected. This option is not selected automatically when you join an open network in an airport or coffee shop. How does Darren get other people to connect automatically to his Pineapple in his videos? Am I the only one having this problem? Thanks guys!
Thank you for elaborating on your situation in better detail for us superfan. This will certainly help us narrow down what's going on. I have not experienced this myself, but I only have one windows7 target box in which I'm testing against, and it has a special lenovo wireless management center that Im sure modifies how the wifi card and cellular card interact with the world. I will load up win7 on another box tomorrow morning and report back what I find.
One things for sure, the more and more I play with this awesome little device, the more oddities and idiosyncrasies pop up. Such is life when playing with a hacked device that you didnt hack yourself I guess :)
Anyone else notice this same issue as superfan?
telot
-
Hmm..I've been running my pineapple on a hacked USB (outputting 5 to 5.1v according to my voltmeter) cable for weeks now with no adverse side effects. I've flashed firmware a number of times and had "targets" (my wife and her visiting family members) sucessfully karma'd for hours upon hours. I will run some tests on the tx output tomorrow morning to see if you do in fact sacrifice tx power. Thanks for the link/heads up pew pew
telot
Alright the tests are in! My testing environment was as such: A big long room with tables, chairs, couches, etc scattered about in a semi-random fashion to mock up typical interference you'd find in a coffee shop or airport lounge. To measure signal strength I used my Samsung Epic Touch 4G (sprint's variant of the galaxy s2) with the program Wifi Analyzer on it. I did my best to hold the phone in the same way for all the tests and facing the same direction (vertically in this case). I also had it at about waist height (3 feet off the ground). I took 5 readings at each spot and averaged them for your benefit. Heres the results:
With 12V wall wort that came with the pineapple:
27dBm tx power (according to iwconfig for both wlan0 and mon.wlan0)
5ft: -42
12ft: -50
25ft: -62
30ft: -69
With 5V hacked usb cable that I made:
27dBm tx power (according to iwconfig for both wlan0 and mon.wlan0)
5ft: -45
12ft: -52
25ft: -60
30ft: -70
So there you have it, a minuscule reduction in signal strength when averaged over 5 readings by going to 5V from hacked usb from a 12v wall adapter. Not to mention it seems so much more reliable than those crappy battery pack adapters that came with the pineapple (no personal experience here, just from reading these forums). Cheers
telot
-
Thanks again for the help Mr-Protocol; managed to sort it out using 100% the exact settings as your video
So my advice to others having the hang up issue after "Your IP" - keep trying! It may not work the 1st time, 4th time or even on the 10th try but rest assured it'll eventually take the flash.
^^ Aint that the truth! I fear a lot of our forum members (me included at first!) fail the first 5 times and convince themselves they're doing something wrong. Set things up exactly as Mr. Protocol does (our pineapple flashing guru) and just keep keep keep trying. We should have something like this pinned.
One last question Mr-Protocol, would I be able to flash a fresh ap51 using this same method or does it differ?
Yeppers.
telot
-
No your pineapple is not broken. Are you starting your computers up from cold boot? Try that and see. The other thing is, do you have another wifi that they remember (such as your home network) that may have a stronger signal strength? Even if its not stronger they may connect to that automatically. That is why I'm testing a deauth script that will automatically use my alfa realtek card to deauth everyone around it besides the pineapple - which, on all 6 of my tests here this morning have been successful in bringing the folks to my pineapple. So even if they don't connect to your pineapple automatically, you might want to consider actively preventing them from connecting to others. This would be the most effective way to get people on the pineapple, and keep them there.
telot
-
Thats what mine has been doing now for almost a month. I have flashed and reflashed but no joy.....
The pineapple shouldn't be "giving" you any IP address ever (when plugged into ethernet). Thats why you setup a static IP in win7 and run the wp3.sh script in linux (which sets up a static ip). Reflash and re-read the instructions...this time try not to do it so diagonally. Good luck
Mr. Protocol, whats your opinion of you and/or me creating a video or two on how to first setup a pineapple out of the box? That guy from this thread (http://forums.hak5.org/index.php?showtopic=23130) never responded to me, just left me hanging. It seems like you and me are the ones doing 90% of tech support on these bad boys, maybe we'd save ourselves some time? Or maybe just a FAQ would do...
telot
-
According to this page from Data-Alliance
The PCB for the AP51 uses 6-18 volts to operate. No mention of mA.
i'm guessing using a battery pack under 6 volts lowers the power output for tx, intermittent lock ups, as well as other strange behavior out of the Mark III.
Hmm..I've been running my pineapple on a hacked USB (outputting 5 to 5.1v according to my voltmeter) cable for weeks now with no adverse side effects. I've flashed firmware a number of times and had "targets" (my wife and her visiting family members) sucessfully karma'd for hours upon hours. I will run some tests on the tx output tomorrow morning to see if you do in fact sacrifice tx power. Thanks for the link/heads up pew pew
telot
-
Don't give up hope, I hear Santa has things in the working....
Seb you should consider getting a "Donate" button
telot
-
Many many many 12V devices are actually 5-20 or even 5-30V. When solution providing companies are sourcing a product for their customers, power constraints is often the first hurdle a product has to overcome, so many manufacturers engineer in a range of workable voltages to increase the target market of their product. I work with 12V systems everyday (for work) and most of the devices in any given system are 5 to 12V+.
telot
-
My first suggestion would be to have a wifi card in monitor mode wiresharking to see what's really happening. Another thought, what device are you using to test with? My HTC Evo never sees saved open ssids from the pineapple for some reason, but my lenovo laptop does just fine, but only on boot up - my other dell laptop sees att_wifi (a saved open wifi on the machine) all the time. I suspect different wifi modules handle probe requests and responses differently. Try some other devices perhaps?
telot
-
Don't listen to these fools ;) VM's are overrated!
I'm just kidding of course, but I don't share their opinion about VM's being the best for pentesting. Mr. Protocol does list out a number of pros, but there are cons as well, such as:
Its not a real-world environment. In the real world, your targets aren't sharing your computer hardware.
You're not running direct on hardware. Hacking hardware devices (e.g. usb to serial cables) is a pain, and in some cases impossible.
Its not as cool looking. Having a full blown computer lab setup in your basement screams "this guys a freakin' badass". lol
Having a multiple machine hack lab is modular. You can move from one project to the next more easily when you have multiple hardware setups configured to do multiple things.
As you can see, I am very hardware focused, which is why I feel the way I do about having multiple machines. Now I'm sure Mr. Protocol and Infiltrator can come up with a thousand more reasons to go with VM's - they are both very intelligent guys who know their stuff. But its a personal decision, and truly the ideal situation is to have a mix of both VM's and multiple computers with multiple hardware configurations. So yeah, save your money for a machine that can handle VM's and play around with them. But also try and procure spare/old computers friends and family have lying around so you can have some variety in your targets. Good luck!
telot
-
sorry that i am dyslexic. and yer i tried to delete one of them.
No problem man
See this link for what to do with old computers:
http://forums.hak5.org/index.php?showtopic=11525
All these ideas are better than a backtrack cluster. It may sound cool as hell in your head (and I agree) but in reality its just not efficient. I'd put the lowest power server to work as a firewall box, get another as a file/game/voip server, and have the other NAT'd off into a separate pentesting network. But thats just me.
telot
-
One last question, do i have to use the charger that comes with the pineapple or can i use any that fits the port. I tryed a charger that was lying around (im getting an adapter tommorow) and it gave me that same error
As long as its getting 5V's you should be fine. Use a voltmeter to make sure, as a lot of generic crappy chinese ACtoDC adapters can put out funky voltage. Thats why its great to use a hacked USB cable to power the pineapple. I've flashed mine several times on USB power with great success. I'll make a build tutorial, perhaps later today if I can get away from the family for long enough - but the jist of it is this:
Cut off the end of a usb cable (NOT the side you plug into your computer). Cut the "plugs into pineapple" end off a generic AC/DC wall adapter. Strip back the wires carefully. On the USB cable, use the red and black wires (red being +5v and black being ground) to connect to the two wires from the plug - typically the wire with a white stripe or white dotted stripe is positive. Make sure no wires are touching, seal it all up with shrink tube to be pro or electrical tape if you want to be ghetto fabulous. Plug it into a computer you don't care about (schools? parents? girlfriends? lol) and check the voltage with a voltmeter, and make sure theres no smoke or explosions. Haha enjoy!
telot
-
I have also noticed that when try to stop ngrep it will come up with a blank page and url of "http://172.16.42.1/pineapple/stopngrep.php."
Thanks again for your help.
If you've got the ^M's going on in your config files - that will surely screw up your ngrep. I'm wondering if your firmware reflashes were not sucessful. Go into your ngrep files in /www/pineapple/ and remove all ^M's and see if it works then.
telot
-
I agree with the above - I would love to see the interceptor revived - I want to possibly try building one of these but the hardware is non-existant from my searches :(
Someone start a poll!
You can still find a Fon+ or two on ebay from time to time. I'm going to buy one and post my progress, though I'd love for it to be on a more updated hardware platform (more readily available to all). Anyone care to join me in trying to source said hardware?
telot
Mark3 Bug: Why Deauth Doesn't Work And How To Fix It
in WiFi Pineapples Mark I, II, III
Posted
Woo! Can you elaborate on the relationship between wlan1 in master mode and mon.wlan0 in monitor mode in regards to karma? Is the mon.wlan0 what scans for probe requests and tells the wlan0 (master) what to reply back with? In order to deauth, do I need to airmon-ng start wlan0, thereby creating a second monitor mode adapter (mon1)?
Waiting for something special hmm? Like a kiss from a prince? MMMmwwwaa! There ya go Seb, now how bout that release! All kidding aside, what kind of problems are you running into? Anything we could help with? I'm so curious as to your relationship with the Mark3 - do you get a portion of profits from the hakshop? Did you and Darren work together on the mark3, his ideas and your coding? Like I mentioned once before, if you set up a "Donate" button, I would happily throw some cash your way for all the hard work in making my favorite embedded system even better. Thanks Seb
telot