Valsacar

Ah, well I was thinking of a relatively mature organization where all actions are logged in some sort of tracking system (trouble tickets, or the like) where it would be fairly easy to know if it's legit or not. So in the example of psexec, a quick search of the ticket/work log system would tell me that a sysad is working on those systems and therefore it is pretty safe to assume that it's not an attacker. Of course, if it's not in the logs it would require further investigation, but that's kind of the point of this exercise, identify specific log entries that definitely warrant looking into vs those that are pretty benign. For example, if I were to audit logon events (which is a good thing to log, if something comes up later) I wouldn't want to investigate each one, as that would be a huge waste of time and resources. Something like psexec, or 552, would be relatively easy to deconflict if you had a good, centralized, tracking system of all admin type work.

So, I was reading Mubix's blog a little while back and he wrote about how PSEXEC shows up in the events log. It got me thinking, why can't I find a list anywhere of things like that which should be red flags in event, and other, logs? Anyone care to help build such a list? I'm starting off with what Mubix mentioned (though, I'm sure it will get changed later) and another obvious one. Windows Server 2003 Event ID 552 - when someone uses something such as RUNAS, it could be a sysad doing their job or an attacker doing something else, but worth looking into. What other things can we all think of? Assuming a network that has a centralized log management server, so all server (say Windows 2003/2008 and maybe some Linux or Solairs ones) logs can be easily alerted off of, as well as firewall events. Anything that's an obvious red flag (like PSEXEC) or warrants further research.

OMG I want that laptop case...

According to that, we can use the 036H as an extender... but I can't get it to recognize it. The extender diagram is actually what I want it to do.

That's why the random script deletes the /www/index.html and then builds a symlink to whatever is up next.

/usb

<HTML><Head><Title>NYAN CAT!!! </Title></Head> <Body> <img src="NYAN.gif" width="500" height="350"><br /> <audio controls="controls" autoplay="true" loop="loop"> <source src="/NYAN.mp3" type="audio/mp3" /> </audio> </Body></HTML> Adding the loop="loop" will cause it to keep looping instead of playing just one. One thing I don't like is seeing the audio controls, but I haven't found a way to remove them. Also, have you tested this on Firefox? From what I've read firefox does not support mp3 in html5. Adding an ogg to the source list SHOULD let it work on all, but so far I have not gotten that to work (ubuntu). For fun, I made up a little script to randomly change all of the different rick rolls that have been posted (pbj, nyan, and rick). First move all of your stuff to USB, I made a folder called webfun. /usb/webfun/rick, pbj, and nyan Add a simlink to each folder from /www (ie /www/rick, /www/pbj, etc). Then create the following script (I put it in /root and called it random.sh) #!/bin/bash read RAND RAND=$(($RAND % 3)) touch /www/index.html rm /www/index.html case $RAND in 0) ln -s /usb/webfun/pbj/index.html /www/index.html 1) ln -s /usb/webfun/nyan/index.html /www/index.html 2) ln -s /usb/webfun/rick/index.html /www/index.html esac Be sure to chmod +x random.sh The reason for the touch is that I had an issue where somehow the index file was gone and the thing just liked to complain about it, so touch first to make sure it's there to delete. Then in your Jobs tab, add this line to your crontab: */5 * * * * dd if=/dev/urandom bs=1 count=1 | hexdump -e '5/1 "%1d"' | /root/random.sh End result is that every 5 minutes it changes (randomly) which of the three ones shows up... just for a little added amusement. The part in crontab is what makes the random number, I couldn't find any other way to do random as the normal bash random feature isn't present... basically what it does is take one byte from urandom then turns it into a decimal number (0-255), the first few lines of random.sh use mod to bring that down to 0-2 (3 possibilities).

I found something like that, but it's even better. The cable splits between the Type M connector (the power) and a female USB, so I don't lose the port. I can't put anything powered on it (pineapple can't draw enough if I do) but I can still use it for something like a USB key. Since my laptop only has 2 USB ports, it's really useful.

Thanks, I just finished my script that will randomly flip between the three every 5 minutes... random fun!

From what I understand from reading and playing with things, it's the uci that's causing a lot of the problems. /etc/config/wireless tells it how many things should be, and if there is a conflict it either stops working (as has happened when you change MAC) or it reverts back to what it things it should be. Changing that config file and doing a uci commit wireless;wifi will solve most... well I think I forgot to mention that before, when you do the change to /ect/config/wireless you do have to do uci commit wireless before it takes effect (but I'm 95% sure reboot would also work).

Did you try doing just changemac.sh manually to see if the mac change is going through? or try manually running the line from your boot script: dd if=/dev/urandom bs=1 count=1 | hexdump -e '5/1 "%1d"' | /root/changemac.sh make sure that is in there right and doing as expected (waiting up to 15 seconds, then doing the mac change).

You could always add one by editing the index.php page appropriately. Of course, that will only last until you upgrade firmware.

I had that same problem, but disabling no script for that "site" worked fine (pops up at the bottom of the page).

1. Yes, edit the appropriate line in /etc/config/wireless (the one that sets essid to pineapple) 2. The log is just that, a log, it shows what has happened not what is currently happening. 3. Not sure, I use a laptop... look at the wp4.sh script, should be able to use that as a starting point 4. Gateway is the door to the internet, so it would be your phone. No clue on sharing the SDCard on the phone... but my guess is no.

Even with the change to /etc/config/wireless and running wifi after bringing wlan0 back up it still doesn't work?

You are right, somehow I missed that but I found the fix (I'll edit my original post to reflect). edit /etc/config/wireless comment out (or remove the line that says "option macaddr" Add a line that says "option phy phy0" Then after you do "ifconfig wlan0 up" add a line that says "wifi" The problem was, it was looking for a radio device with a specific mac, so we'll change that to look for a specific phy device. Since we only have one it's not a problem. The command wifi basically reruns the config so it will grab the new mac address and be back up and running.

I found a solution, but it can increase boot time quite a bit (anywhere between 0 and 15 seconds in my setup, but you can change that). Unfortunately random isn't available, so this was the only solution I could come up with. Create a new script, I called mine changemac.sh !#/bin/bash read RAND RAND=$(($RAND % 15)) ifconfig wlan0 down sleep $RAND macchanger -r wlan0 ifconfig wlan0 up wifi The % 15 is your max, so you can change that to whatever you want (ie % 10 for 0-10) chmod +x changemac.sh I put mine in /root (home directory). edit /etc/config/wireless comment out (or remove) the line that says "option macaddr" Add a line that says "option phy phy0" Then in your boot script make it this: wifi hostapd_cli -p /var/run/hostapd-phy0 karma_enable #Don't touch this dd if=/dev/urandom bs=1 count=1 | hexdump -e '5/1 "%1d"' | /root/changemac.sh exit 0 That's it, it'll use /dev/urandom to get some random bits, change it into a number between 0-255, then drop that down to 0-15 and sleep for that long. It's not clean, but it works... if anyone can clean it up or find a better way let me know.

I assume you mean eth0, where the pineapple is connected. I tried both eth0 and wlan0 (where the internet is coming from) and seemed to get the same results.

I've searched for a while, but I can't figure out what I'm doing wrong... everything runs as it appears it should, and some stuff does show up on hamster (all from the same IP, but that is to be expected) but no cookies, and clicking on things normally gives nothing (unless it was an image, those appear...). I've tried with a few sites, like gmail/facebook/etc and got nothing on all of them. Could someone walk me through how to do this, since I'm obviously failing at it... or does it just not work with this setup? Is there another/better way to do sidejacking with the MKIV?

I didn't even get that far... just throws an error for me.

Hack the Hackers!!!! no wait... that's not right...

I just upgraded from 1.0.1 to 1.0.2 and it reset everything, I was playing with rick roll and it was gone, my changes to /etc/config/wireless and /etc/config/uhttpd were gone, as was my changed password... was that intended with upgrades?

Thanks, that works perfectly. Just added option error_page /index.html save/close uci commit uhttpd /etc/init.d/uhttpd restart Now the rick roll works on any url! As Darren said, if you're not ready to troubleshoot a completely broken system... playing with config files isn't a good idea. P.S. if you edit /etc/config/wireless you can change the essid of your pineapple to anything, and have it change over boot. Mine is now Public Wifi.

With the DNS spoofing, you should be able to set up a handler for 404 errors to redirect (again) to something else (like the redirect.php, effectively stripping anything after .com). I can't write the steps as it's been years since I've worked on a webserver, but it should be possible... I may test it sometime later. EDIT: .htaccess is what I was thinking about... but that doesn't work, tried a few different things with no luck.

I do have the 036H, but it's not playing nice either (keeps saying it's on channel -1). I'm going to try it after I get a new laptop (for BT5) as it's probably just Ubuntu being stupid and I don't feel like installing other wireless drivers on a machine I actually use and having to deal with the pain if it ends up breaking what does work. I just wanted to see it work, but all of the devices I have available to me don't seem to be doing much... I did forget to turn it off when I went to work and saw a few connections to an iptime router that someone in my building uses... oops, but at least I had ICS going for them :P