telot
-
Posts
803 -
Joined
-
Last visited
-
Days Won
12
Posts posted by telot
-
-
So you're just trying to log the beacon frames you sniff? Seb, were you able to find that C program you wrote for the pineapple birdhouse project? I know you lost it...but it sure would help the cause :) Not just betab051, but also for me :D
I too am doing this, but for totally different reasons. My pineapple is at work, so I'll have to give you clues just from my notes...I will try to correct these with an edit tomorrow. For the meantime, this should get you going.
First off, TURN OFF all pineAP, karma, harvester, all that stuff. Turn it all off. That is why clients are connecting to you (duh..sorry, but thats what all those things are meant to do!). Reboot to make sure (I do it for superstition I guess).
Then just ssh in and airmon-ng start wlan1
After that its a simple tcpdump away!
tcpdump -i wlan1mon -e -s 256 type mgt subtype probe-resp or subtype probe-req -w /sd/probes.pcap
NOTE: because I'm not at my pineapple, this may be incorrect. Will fix tomorrow with an edit.
That will use the monitor mode of wlan1 to mostly just capture probe requests to the pcap. This saves a TON of space on your SD, as long as you're only interested in getting the probes. Then you can use Vivek's pcap2xml from the latest Pineapple Birdhouse episode (securitytube.net) to presto-chango it into a sql database for easy analysis. Thanks be to Darren for the SQL-fu
SELECT DISTINCT addr FROM MACHeaders WHERE type = 0 AND subtype = 4
Easy mode.
So betab051, now that I've hopefully helped you out, tell us about your project?
telot
-
So I picked up a couple of toorcon 14 badges a few years ago, and haven't done much with them (other than load up that chat program from the con...which was pretty badass I have to say!). Can anyone fill me in on any differences between these and the yardstick? The yardstick comes pre-flashed with rfcat firmware - anything other than that? Thanks very much in advance!
telot
-
hackrf is not an easy to approach toy. It is a drop-dead serious SDR - its not like the cheapo RTL sticks for $20. It really helps to have a background in electrical engineering, with specific knowledge of RF. I would advise against buying it if you're just starting out with RF stuff. That said, if you've built up a knowledge (in school, or just hacking around), then the hackrf is an amazingly powerful tool. Mossman has a streak of taking things that are normally EXTREMELY expensive, and open sourcing and shipping them dirt cheap. Another instance of this is the ubertooth. It's not a "lets screw around on a sunday afternoon" kind of toy, much like the hackrf. It's an incredibly powerful bluetooth development tool (and hacking tool). So yeah - avoid the hackrf unless you're ready to jump into intermediate/advanced level RF goodness.
My two cents anyways
telot
-
Theres some great starter courses at securitytube.net. Vivek is a champ, and they are very nicely priced. I've taken a few of them and highly recommend!
telot
-
Hey Mr-P! Long time no see (figuratively speaking of course)! I was running in a Win7 VM (not activated). To clarify, I was just going to the Devices menu in virtual box, to USB Devices, and I saw the generic description "USB to Ethernet Adapter" - ready for pass through.
It's all good Darren - as long as its working for testing on my OS X box, thats all I need. If others are doing a legit pentest in a mac-heavy environment, they might have to pair their attack with a USB Rubbery ducky that has a script to download the drivers (and restart...could be tricky).
Thanks for verifying this for me denningsrogue and Mr P - its nice to know I'm not the only one.
telot
-
No prob Darren. To clarify, the device was visible to Virtualbox, and gave the option to pass it through to a VM. It wasn't visible to OSX's network preferences screen (so no option to set a static). I was however able to download the driver from realtek's site and get it working. This might inhibit a pentest against an el capitan victim, but for my own testing it works just dandy!
telot
-
Hey all - have any other mac users upgraded to El Capitan? I did last week, and since then my Lan Turtle won't show up in the Network Preferences pane any more. I made sure my lan turtle wasn't borked by plugging it into an old Mountain Lion mac I have - works like a charm and shows right up as a USB Ethernet adapter. On my El Cap machine, I can pass the device to a VM in virtual box, so I know El Cap is seeing the device, it just doesn't populate it or receive an IP address from it. Any ideas? Thanks!
telot
Edit: Feels odd, but I marked my reply below as Best Answer for future searchers.
-
I second the recommendation for TinyVZ / Ramhost.us. I've been using them for years, and their service is rock solid reliable.
Jmanuel: The settings are saved on my Lan Turtle after reboot. I bet you went in to the turtle interface...that does revert the settings. If you change the /etc/config/autossh file and don't go back into the autossh gui, the port settings will persist after reboot.
Hope that helps!
telot
-
My Comcast router out of the box had uPNP enabled...that lasted about 5 seconds...but the fact still stands that many (millions) of people have upnp enabled simply by the fact that its default. Great work Shad! And thanks for letting us know DK!
telot
-
I too am slightly confused. It sounds like you're using the two ethernet ports and using this as kind of a "monkey in the middle" on the LAN only. I've done this before as well, and it works pretty slick, though I was just tcpdumping and sslstripping at the time (no ettercap). This should point you in the right direction though:
#Heres my Lanport.sh - this preps the two eth ports to talk to each other
#!/bin/shiptables -A FORWARD -i eth1 -o wlan0 -s 172.16.42.0 -m state --state NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#And Heres my DumpNstripLAN.sh - dumps all the traffic and strips the SSL.#/bin/sh tcpdump -i br-lan -w /usb/cap.pcap -n net 172.16.42.0/24 & iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000 iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 10000 sslstrip -w /usb/sslstrip.log &
Hope this helps ya out billycz!telot -
Could it be you guys have defective units? My PineAP grabs all kinds of clients. Perhaps your not in a target rich environment? Setting up at my work (where I am charged with security and have permission to run tests of this sort) I get literally dozens of clients within minutes of turning on PineAP. I would encourage you to get out there and see what the world has to offer - legally of course.
:D
telot
-
If you want to learn up on linux beforehand, checkout the following resources. I've found them both to be very helpful
https://github.com/jlevy/the-art-of-command-line
http://cb.vu/unixtoolbox.xhtml
Good luck!
telot
-
This thread has been a great read! Thanks to you all for being my early adopting guinea pigs. With all of these bugs and issues, do you guys see any reason to upgrade? I tried searching, but can't seem to find any "tent pole" features that warrant me suffering through all these problems. Old Kali is chugging along just fine. Thanks in advance,
telot
-
Pretty simple hack to turn the Amazon Dash button into a "anything you program it to do" button. Requires no hardware modifications like that adafruit guide does - its all in sniffing ARP packets (something the hak5 community should be well versed and capable of doing!). Lets hear some ideas of what can be done with this neat lil hack!
https://medium.com/@edwardbenson/how-i-hacked-amazon-s-5-wifi-button-to-track-baby-data-794214b0bdd8
Some ideas I've seen thrown around:
Turning on/off to wifi-enabled lightbulbs.
Automatically sending your significant other an "I love you" text.
telot's ideas:
Turn on/off Karma on your wifipineapple
Have your server compile and email you a status report (uptime, current load, etc)
telot
-
Jared is selling them now! http://www.sharebrained.com
I got to play with it a bit at ToorCamp and you guys will NOT be disappointed. Enjoy!
telot
-
So I got tcpdump working like a charm (as long as you utilize a sshfs destination so you don't fill up the tiny MBs of onboard), but like any good hacker, I want to strip those pesky ssl's. Browsers have certainly come a long way since moxie blessed us with the fruit of his labors, but its still fun to play around with, despite it being somewhat deprecated. I dug up my old thread on getting sslstrip to work with the pineapple (long before the Amazing Whistlemaster made it a module):
https://forums.hak5.org/index.php?/topic/26759-full-sslstrip-guide/
and everything works great up until the iptables prerouting portion. Can any iptables-fu ninja help me out with the appropriate commands to run to get it to work? Or is this just not possible with the lan turtle? Many thanks!
telot
-
I was able to get it going by modifying /etc/config/autossh in the lanturtle. I added a -p XXXX at the end with my non-standard port number and its working like a charm :D Woo!
option ssh '-i /root/.ssh/id_rsa -N -T -R 2222:localhost:22 telot@telotsmagicalvps.com -p 2023'
telot
-
2
-
-
ha! Not one minute later, I changed it to:
config /sshfs/ 'log'
and BOOM it works. Can't believe I zoned out not the last "/". Cheers!
telot
-
1
-
-
Awesome RussDR - thanks for checking this out. Unfortunately I wasn't able to repeat your success. I changed the /etc/config/nmap file like you suggested, as seen below:
config 192.168.1.1 'target'
config 7 'profile'
config 'log'
Saved it and went back to the turtle gui - when I try to configure the log location, I get the same slight screen refresh, and no entry to the menu. Can you share what your /etc/config/nmap file looks like after you've configured it within the module? Maybe I can just manually enter it and it will work then? I tried:
config /sshfs 'log'
but to no avail. Any additional help would be much appreciated!
telot
-
I got my turtle yesterday, and playing around in the cli I've found arpspoof, tcpdump, dsniff, hping3, and ettercap. All ripe for module-making! I'm sure I'm missing some others - what nuggets of goodness have you guys found?
This turtle must be mcdonalds, cause I'm lovin' it!
telot
-
Hey guys - When I try to run the nmap scan, I'm not able to configure a log location. I select the "Log - Choose Log Location" from the turtle gui, but I don't go to another screen, it just flashes the same screen.
I setup sshfs just fine so I don't clog up the internal storage on the device, so ideally I'd point the nmap to /sshfs. Any ideas? Known bug? Anyone else able to reproduce this?
Thanks in advance
telot
-
1
-
-
Unfortunately thats not how the remote port works in the lan turtle. I too use a non-standard SSH port, as its part of my handy-dandy TELOTS BEST SSH PRACTICES rulebook (keeps the script kiddies from pounding at your door - security through obscurity ftw). I tried setting it up every which way within the turtle gui manager, but was unable to get it to work. When I switched my servers ssh port back to 22, it works like a champ. Whats really odd is that when I try to autossh from the cli, this seems to be a different version of autossh that I'm not familiar with. Heres how I'd like the autossh to work: autossh -R 2222:localhost:22 telotsvps.com -p 2023 but I just get the help spammed back at me. To explain: I'd connect to my telotsvps.com on port 2023, then ssh -p 2222 localhost to get back to the lanturtle.
Darren, any insight on how we can have our non-standard ports implemented via the gui? And if not, can we edit some file within the turtle to trick it into working?
Also, great to be back guys - HEY BARRY! Long time no see!
Also also, this lan turtle is F'ING AWESOME - great job dk!
telot
-
Anyone else making the trek to go camping with a bunch of hackers in a few weeks? If so, post here and we can do a hak5 meet up!
So pumped!
telot
-
It was released yesterday. Unfortunately its not in an ISO. While making it easier to drag/drop to a USB stick I guess, it prevents me from testing it out in a VM (unless theres some trick I'm missing...?). At the moment I can't do a full re-install on my main box, so I'm turning to you guys who probably don't have the same constraints as me :)
Anyone tried it out yet? Thoughts? Criticism? And what we're really after...any hacks?
telot
IP Scan Module
in LAN Turtle
Posted
Does nmap not work on the lan turtle? I don't have mine handy, but I thought it came with it installed...
telot