telot
-
Posts
803 -
Joined
-
Last visited
-
Days Won
12
Posts posted by telot
-
-
There was a talk at Derbycon last year, about hacking vending machines and other consumer appliances. The gist of it was, if it has a usb port somewhere on it, plug in a keyboard and see what you can do. That would certainly be the first step to see if a ducky attack is possible. Good luck!
telot
-
If running tons of modules/infusions simultaneously is what you're after, you will need two pineapples. If you split the load over 2 pineapples, in tango mode, each with its own extra alfa card, I guess its possible. I'm more of a terminal guy, so if you can live without the gui, you can get away with zero pineapples. If you just want to run all the tools simultaneously, I'm guessing you could do it with either a pi or Bbone. I've got a pi setup with karma with 2 alfas (karma/master mode on one, airdrop'ing on the other) so that I could test some stuff with metasploit. I'm sure you could add yet another alfa as a kind of 'utility' interface for reaver/mdk3/aircrack. I can't speak to the Beagle Bone, but the pi is not going to be super fast, especially when running msf, but it can certainly handle a greater multitasking load than the more purpose-built pineapple.
telot
-
I didn't see this on the wiki, so I added it.
Anyone figure out how to append this command to the autossh script that is autorun? I tried the standard "&&" to no avail (ssh relay works, http no worky). Heres the command I'm using:
autossh -p 2222 -M 20000 -N -R 4255:localhost:22 user@myvps.com -i /etc/dropbear/id_rsa && ssh -p 2222 -f -N -R 4266:localhost:27015 user@myvps.com -i /etc/dropbear/
Note: I hate using standard ports, so I'm using 2222 as my ssh port for my vps, and 27015 as my pineapple's http interface port. CS/TFC represent!
telot
-
If you connect to a honeypotted AP it depends on what traffic you do over it. If you don't pay attention and login to facebook/gmail/etc that's had SSL stripped or ignore any SSL warnings, you're boned.
There are also apps that use SSL but don't verify SSL certificates. If you use one of these apps and there's someone evil in between you, you can still get boned..
Can you verify sslstrip works on some apps? I've not had any luck with it. Moxie has an awesome right up on his site about how the prevalence of apps is a huge boon for ssl-related security due to the fact the apps don't have to conform to browsers. Any info would be appreciated kyhwana!
telot
-
Holy hannah. Monster post came to clobber us all haha! First and foremost welcome to the community! It's always great to have another programmer-by-trade member among our ranks. I'll just start at the top and do my best, and I'm sure others will comment in and add stuff too.
My desired config: Get rid of the intermediary laptop and have the pineapple connect to some preset APs or any open AP in range. Possibly connect using a cheap usb aircard. Obviously I'd need a wifi card + usb hub for the former. To capture all traffic flowing through the pineapple, preferably in a semi-formatted report rather than just a .pcap file I need to parse out.This is all totally possible, but not "off the shelf". Removing the laptop/ICS out of the equation can be done via the network manager module or scripts quite easily. Foxtrot is working on a module that will automate this kind of thing, but right now if you want ICS through wifi or 3G, you'll have to script it yourself (and hopefully share with us!) or do it manually each time. Remember that to use most aircards and external wifi modules (e.g. alfa's) you'll need a <b>powered</b> usb hub. As for the semi-formatted report, I have a very poorly formatted report emailed to me automatically from my pineapple (and by very poorly, I mean its just a list of the logs).
1) Where can I find the same information that is displayed on the Status screen of the pineapples homepage? Specifically I want to see the karma probe request details and "who is connected" status. I'm guessing that the latter is in /var/dhcp.leases ? What does the * mean after the client in those?cat /tmp/dhcp.leases; echo '\n'; cat /proc/net/arp; echo '\n'; grep KARMA /tmp/karma.log | grep -v -e enabled | grep -v -e malloc | grep -v -e CTRL_IFACE | grep -v -e KARMA_STATE | grep -v -e Request >> /usb/emailreport.log
Above you'll see a snippet of how I see "who is connected". This snippet is taken directly from the pineapple index.php and put in my emaillog.sh. I'd guess you can find similar bash-fu for the probe request details in the source of index.php. Not sure on the star.2) But just because a client connected doesn't mean they still ARE connected. Is there a way to see an active display of who is connected and sending data. Would something like tcptrack would work?Maybe cat'ing the arp table?
3) Is there a way to see client disconnects and tell if they did a hard disconnect (likek "oh crap, this is the wrong ap! disconnect!) or they simply went out of range.A disconnect frame is a disconnect frame. You might be able to hack something together to see if you received a disconnect frame from a client who is no longer connected or not, but currently it is not possible.
4) infusion logs. Most important to me are the sslstrip, tcpdump, and urlsnarf logs. It's not totally clear where these are. On one hand, you have /pineapple/logs which contains a urlsnarf.log but for me it's always empty. Is this the place where non-usb installed infusions are supposed to keep their logs? Because we also have /usb/infusions/urlsnarf/log, which for me has some files, one empty and one that successfully captured traffic once.Not sure on this one. I use sslstrip and tcpdump via ssh and/or scripts only. I'm sure someone else knows though!
INFUSIONSThis is where I really need some help. I am very thankful for the community provider infusions but they aren't exactly self-explanatory. Are you only supposed to run one at a time or what? I typically run tcpdump, urlsnarf and sslstrip at the same time.
I don't ever run urlsnarf and tcpdump at the same time, and I think it might not work (both are redirecting port 80 I believe?). I always run tcpdump and sslstrip at the same time though.
This might not be a good idea (since tcpdump should capture EVERYTHING, right?) but sslstrip might be providing a better, more verbose capture than tcpdump and tcpdump is uncessary if I'm running that.You need to read up on your tools. sslstrip is by no means a packet capturing tool - its a pure man in the middle sslstripper. It will only output stripped ssl info. tcpdump is what you want for the full picture of whats going on, and sslstrip to remove their ability to hide from that "full picture". Both must be used in conjunction.
Your next questions about sslstrip and tcpdump, please see my posts/wiki pages on it. If you still have questions, by all means ask them.For timestamps, google or search the forums. The answer is, yes you can correct the date on your pineapple (I've just forgotten how lol).Memory: I'm not sure about the infusion, but what all do you have running when you take those readings? With sslstrip and tcpdump running, I'm at 1088 free on a "free -m" check.Mac Address: Thats because it is made by alfa. Run macchanger as part of your scripts.Order of usb things plugged in at bootup don't matter as far as I know. I recall a post about this though...something about an external alfa becoming wlan0 instead of the internal? I may be imagining things though. Search the forums.Default Channel: We here at the Wifi Pineapple Community take things to 11. Thats why its at 11.You can tether with android via usb. Search forums.Ssh on lan: Connect your local lan to the lan port and have at it. Autossh is totally different, but also may be applicable for you. Its for reverse-ssh tunneling awesomeness. The pineapple connects to a server (vps or whatever) and you dial into that server to access the pineapple. See hak5's series on ssh for a full (and amazing) explanation. Autossh is just a keep alive for that ssh connection.I'm exhausted. I'll continue editing this post, but man, you really went all out! I applaud your enthusiasm! I'm sure all my efforts here will be rewarded when you whip up some sick new module right? Haha, again, welcome to the community shutin!telot -
Well if you don't have internet, you're best bet would surely be randomrolls. Perhaps do some tests before hand with androids and iphones, as I recall one of the rolls (could be rick?) doesn't work very well on iphone - no sound.
If you're trying to have an impact on these people, it would be ideal to bring a 3G/4G dongle with you. I mean, Rick Rolling someone does prove to the educated person the power of the pineapple, but to laymen, its just a party trick. To really drive your point about security, showing them their tcp traffic is a powerful message. Filter out POSTs in wireshark, run sslstrip and create a wall of sheep, thats the stuff that turns heads. If you really want to freak them out, show them the injection stuff (evil java, keylogger) thats being worked on.
Good luck WatskeBart - let us know how you do!
telot
-
Just had a thought - I'm not sure what I proposed would work afterall, at least for printing. Now that I think it through, the host computer would be assigning you an IP (acting as a dhcp server) - its not going to reach out to its real dhcp server and give you one of those IP's - not in windows at least. Anyone know if I'm wrong?
telot
-
Theres a more elegant solution: Portable Printer. If you're driving back and forth just to print something, this could easily be cost-justified with your boss.
IF you want to do this as a POC or just a fun hack-tastic project, hells yeah, but just know that its far from the best solution for your particular problem.
The biggest issue with your proposed plan is, theres no way for the wr703n to get internet just by being plugged in via usb. It just doesn't work that way. The wr703n is designed to get power from the usb, and I think thats it. One option would be to buy a usb-to-ethernet adapter (a la hakshop) and plug that into the host computer, turn on internet connection sharing to the adapter, then plug in your laptop to the adapter.
Another option: If you need it to do wifi, plug in a wifi adapter to the host computer. Then plug in a rubberducky with Darren's "Make a AP" script for windows7. You might have to add some lines to the script that setup ICS between the wired and the wireless.
Either way, you'll need a machine that is not locked, and permission from the owner to do this - as without permission it would be TOTALLY illegal.
telot
-
Are you sure about gmail and twitter? I am 100% sure they are HSTS protected and SSLstrip shouldn't work on those.
I just did it. I'm looking at my credentials for my gmail and twitter in my sslstrip.log, so thats pretty 100% in my book :)
telot
-
I think we should tackle this. Enough of us pineapple owners are also osx-friendly now, that we need a comprehensive solution. Thankfully, OSX is based off of unix, so I'm thinking a little cli-fu is in order. A quick google found this:
http://hints.macworld.com/article.php?story=20050331194834746
I'm about to hop on a plane, so I was only able to give it a quick glance, but it appears as though this script can be modified to address our needs. Thoughts?
telot
-
I think Mr. P means dmesg?
telot
-
Facebook works. Gmail works. Twitter works.
What really irks me is that apps don't work. With the proliferation of mobile apps and less and less reliance on proper websites, sslstrip will continue to become less and less useful as time goes on. UNLESS someone (Moxie?) comes up with a way to strip apps of their custom ssl implementations. Moxie has already commented on this a bit, and if he can't crack it, god help us all.
telot
-
How I do it is use tcpdump to cap every packet (as outlined in my tcpdump guide on the wiki). From there you can open the pcap file in wireshark and filter for POST. Not only do you get any and all plain-text passwords, but you can also see everything else. A full picture, instead of just the username/password.
http.request.method == "POST"
telot
-
airodump will show you date and time, last seen, prob requests, etc. Just need to use the csv log file...
This man speaks the truth.
http://www.aircrack-ng.org/doku.php?id=airodump-ng
telot
-
Most of the time I dread it when people dredge up old threads - but in this case its awesome! Very interesting discovery there skimpniff! Is there an upper limit to how many ssid's you can add in /etc/config/wireless? As you said, its a great opportunity to increase your chances of landing someone "on purpose", as opposed to karma'ing them. Very cool
telot
-
You can do it with tcpdump. Tcpdump is one of the most powerful packet capture tools available and it can do timestamps as well. Check it out and share your results please!
telot
-
Are you using a powered USB hub?
telot
-
Haha "working"... :::glance at IDS dashboard ::: "Ok, my jobs done for today!" Onto the forums for a little Continuing Education!
telot
-
This should do the trick
scp root@172.16.42.1:/usb/cap.pcap .
telot
-
Is the existing AP wep, open, or wpa? If its WPA protected, you'll need to use wpa_supplicant and dhclient, otherwise just iwconfig (and maybe some dhclient as well) will work. Those are the tools to use to connect your alfa to the existing AP, then you can use the network manager to tell your pineapple that you want to get your ICS from the alfa. After that you should be all set.
telot
-
Also, if you don't mind sshuttling instead of VPN, you can get a TinyVZ vps for $15 per YEAR. Thats right, per year. I've been using one for a couple weeks now and I've yet to be disappointed. Great service, and 100% uptime thus far. Check them out
-
Just let it be known that you will need a powered usb hub to use a proper usb wifi adapter. Supposedly theres some low power ones out there that you can use, but they will have very poor RX/TX power.
telot
-
I use my home server vpn if I just want a secured connection (for example, if I'm on public open wifi) and use Vypr VPN services when I want to "be" somewhere else. They've got servers all over the world, and sometimes its nice to appear like I'm in the UK (bbc player) or elsewhere. Also, the connection is very fast.
telot
-
Checkout Vivek's wifi megaprimers 29-35 as well: http://www.securitytube.net/groups?operation=view&groupId=9 EAP-ttls, peap, and md5 all have various degrees of vulnerability. You might also want to take a look at chapcrack from Moxie: https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
telot
This weeks posts and does Darren use a helmet or windsheld cam. Wifi is like old old ethernet.
in Everything Else
Posted
You sure about the "no drugs" thing?
telot