[Error when downloading pcap's from the Nano]

I have not seen any issues with using SFTP to transfer files, but I have to say the files were much smaller, on the order of 10-20 Mb.

Does the device hang, or just the transfer is terminated?

[[SQL Injection]How <a' OR ''='> could list user ?]

The use of quotes in a SQLi injection string drive the completion of values in the where clause of a conditional within an SQL statement.

[[SQL Injection]How <a' OR ''='> could list user ?]

This would make the conditional in the SQL statement always return true. I can see the query being something like this:

select <fields from table> from users where username = 'a'

If the application is not binding the input to the search fields, then they are concatenating and making the statement become...

select <fields from table> from users where username = 'a' or ''=''

The second part of the conditional is or '' = ''; empty string will always be equal to empty string, thus, the whole condition would return true. The first part username = 'a' would be false, but when evaluating false or true, the result is true.

Hope this helps.

[javascript poup]

Looking at the image you provided, I don't think that is Javascript, or it can be driven by javascript, but I think its a div tag that is hidden and displayed when required.

[General modules Discussion]

To put the modules in the USB it would take some configuration at the OpenWRT level, and then it would require you to update the module manager to reference the /USB instead of /SD path. This I would consider the correct way.

You can try shortcut it, but getting openwrt to consider your usb as /sd. You'll have to do some research as I don't have the notes for doing this handy.

[Pentest with Hak5 training]

I'm no where near where the training is occurring. I would not be attending :)

[opkg installing packages issues]

The package installed successfully. When you try to run a tool from that package, do you get an error?

For example, what if you ran the below. Does it work?

easy_install requests

I get the error shown below, I would expect that this package would be installed by the installation process as it does on other systems.

Traceback (most recent call last):

File "/sd/usr/bin/easy_install", line 5, in <module>

from pkg_resources import load_entry_point

ImportError: No module named pkg_resources

[opkg installing packages issues]

Has anyone tried to use opkg to install any packages to the sd?

I ran the following command to isntall pythong-setuptools, and it seems to fail at some point, b/c its looking at the /usr/lib/opkg/info directory on internal storage instead of the sd, even though i specified the -d sd in the command.

root@Pineapple:/sd/wigle# opkg update && opkg --force-reinstall -d sd install python-setuptools

Downloading https://www.wifipineapple.com/nano/packages/Packages.gz.

Updated list of available packages in /var/opkg-lists/chaos_calmer_pineapple.

Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/base/Packages.gz.

Updated list of available packages in /var/opkg-lists/chaos_calmer_base.

Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/packages/Packages.gz.

Updated list of available packages in /var/opkg-lists/chaos_calmer_packages.

Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/management/Packages.gz.

Updated list of available packages in /var/opkg-lists/chaos_calmer_management.

Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/routing/Packages.gz.

Updated list of available packages in /var/opkg-lists/chaos_calmer_routing.

Removing package python-setuptools from sd...

cat: can't open '/usr/lib/opkg/info/python-setuptools.list': No such file or directory

Installing python-setuptools (7.0-1) to sd...

Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/packages/python-setuptools_7.0-1_ar71xx.ipk.

Configuring python-setuptools.

grep: /usr/lib/opkg/info/python-setuptools.control: No such file or directory

cat: can't open '/usr/lib/opkg/info/python-setuptools.list': No such file or directory

root@Pineapple:/sd/wigle#

[[Official] Base64EncDec]

The module has been submitted for addition to the ModuleManager. It should be up shortly.

Module: base64encdec

Version: 1.0

Features:

• Base64 encoder and decoder

[Infusion Creation]

I would copy the code to your PC first and start to study it. Analyze it and comment it in order to understand how and why things are working. If you jump right into it, i think it will be a challenge.

[Infusion Creation]

My recommendation is to take one of the already written infusions and understand how it works and why it works. This will help you establish the foundation for writing an infusion.

Next you can take one from the MKV or Nano and analyze the what is occurring with respect to the calls that are made against the device to install packages, etc. You can try to port those commands over to the MKVI if the device has the space to store the dependencies that are installed. You may need to set up expandable storage on the USB stick.

[Requesting: can someone share a PineAP log]

Hi,

I don't have my nano and am working on converting the get module for the nano.

Can someone share their PineAP log? The file is stored at /tmp/pineap.log. Their should have been individuals who were connected.

Thanks!

[General modules Discussion]

I have to agree with Whistle Master.

Additionally, the API has changed from previous versions of the MK. The new interface uses AngularJS and this is new for some as myself. We are doing this for fun, to learn something new and at the same time give something back to the community.

[Configuration Patch: Change Radio Region]

Cool thanks will do!. I don't have my nano yet. So i'm on ubuntu anyways. I'll patch it there and move the updated files when I get it to the pineapple

[Configuration Patch: Change Radio Region]

Good opportunity for me to learn how to patch a file.

With the patches you have created above with the differences, can you provide an example of how to patch the respective files?

[Setting up SD card as root to install more pkgs with opkg and use beef]

To add on to what Seb stated... check the etc/opkg.conf file. You can see the mapping to the sd card. In older Pineapples, it was listed as usb.

opkg --dest sd install <package name>

[[WIP] Python wigleAgent]

Made a bit more progress on this script.

Now I can provide a street address and get back 100 networks that are listed near it. The output that is returned from the script is shown below. One could run the command-line module to get the results and then convert them to a format that they can post on Google Maps.

Gonna have to see what needs to be done to make this a command-line module.

Sample execution:

 
python testWigleAgent.py -u <username> -p <password> -a "1600 Pennsylvania:DC:20500"
==============================
[*] WIGLE: This user was validated
[*] WIGLE: Lat / Long and SSID have been retrived
BSSID: 00:0B:6C:BD:BD:BD
ESSID: null
WEP: ?
Channel: null
Latitude: 38.90174103
Longitude: -77.02464294
 
 
BSSID: 00:15:AF:17:ED:97
ESSID: GlobalSuiteWireless
WEP: N
Channel: 0
Latitude: 38.90188217
Longitude: -77.02464294
 
 
BSSID: 00:18:0A:81:EB:88
ESSID: DCPL_ MLK_Digital Commons_Staff
WEP: 2
Channel: 1
Latitude: 38.89808655
Longitude: -77.02464294
 
 
BSSID: 00:18:F8:18:84:1B
ESSID: tiger
WEP: Y
Channel: 11
Latitude: 38.89736938
Longitude: -77.02464294
 
 
... truncated result set ....
 

[[Release] 2.4.0 - Codename: Tractosaurus Rex!]

Since from my understanding the Nano and the MKV are mostly the same, the ability to port the UI to the MKV would not be very difficult.

[When will Modules be ready ?]

Regarding the module's I've got. I don't have a Nano yet, once I get one I'll work on porting the modules over.

Instead I've focused on starting to write a new module, that will be a command line infusion/module that will act as an agent to get information from Wigle. Since its command-line, it will work also on older pineapples. But the module (GUI) is planned as well.

thanks!

[[WIP] Python wigleAgent]

Hi All,

I've finally had some time to pick up some development for the pineapple again. Starting working on a Wigle agent that will be set up as a command line infusion/module which the rest of the modules can use also.

Right now, I have it able to search for a location based on a mac address, or to pull back some information about all networks that are found when searching by an SSID.

Looking for ideas on what else you would like to see implemented.

If your interested in trying it out, I have started to run it on my MKV. When developing it on my PC, the results are returned pretty quickly, on the MKV, it takes some time. Not sure where the bottleneck is at this point, but will work on it in the future. Have not tried it on a NANO, as i don't own one yet.

You will need to install some packages on the MKV to get this to work correctly. I don't have that list handy right now, but try to run the script and python will tell you what libraries it needs installed.

Looking for some feedback. Thanks!

Note:

Below is the code for the three files you will need to create. Place them in the same directory. Location on the pineapple doesn't matter.

To execute the script, the command line is (with sample output):

Example run (search by ssid):

python testWigleAgent.py -u <username> -p <password> -s <SSID> to search for info per SSID

==============================
[*] WIGLE: This user was validated
[*] WIGLE: Lat / Long and SSID have been retrived
BSSID: 00:13:10:F8:9B:70
ESSID: NavyPier
WEP: Y
Channel: 6
Latitude: 41.87978745
Longitude: -87.62429047

Example run (search by macid):

python testWigleAgent.py -u <username> -p <password> -m <MAC> to get the location for a specific BSSID

[*] WIGLE: This user was validated
[*] WIGLE: Lat / Long and SSID have been retrived
==============================
SSID: NavyPier
Latitude: 41.88973236
Longitude: -87.61649323

wigle_query.py

#!/usr/bin/env python
from uuid import getnode
#from Modules.Common import *
import sys
import re
import requests
import json
import helpers

#Inspired and stolen from Jamie Bull (author).. at http://code.activestate.com/recipes/578637-wigle-wifi-geolocation/


class WigleAgent():
      #These are the options we will set
    def __init__(self, username, password):
        self.agent(username, password)
        self.mac_address()
        # required options
        self.description = "simple WIGLE query"
        self.language = "python"

        # options we require user interaction for- format is {Option : [Value, Description]]}
        self.required_options = {"wigle_user" : ["offtest", "Set WIGLE User-Name"],
                                 "wigle_pass" : ["83128312", "Set WIGLE Password"],
                                 "mac" : ["00:22:55:DF:C8:01", "Set MAC Address"]}    

    def get_lat_lng_by_mac(self, mac_address):
        #Start with Credintial check
        try:
            self.response = send_user_check()
            response = self.check_cred_login()
            if response == 'false':
                print "[*] Unable to validate this user..."
        except:
            #Use this two let user know we had a true login..
            print helpers.color('[*] WIGLE: This user was validated', bold=False)
            pass
        
        
        if mac_address == None:
            mac_address = self.mac_address
        if '-' in mac_address:
           mac_address = mac_address.replace('-', ':')
               
        try:
            self.query_response = self.send_query_location_by_mac(mac_address)
            
            #Need to use Try statment since the "message" Key isnt always prsent when conducting query
            try:
                message = self.check_query_limit()
                if message == "too many queries":
                    print "[*]" + message
            except:
                #Use pass since we dont have an error...
                pass
            response = self.parse_response_mac()
        except IndexError:
            response = 'BSSID (MAC) location not known'
            return response
        print helpers.color('[*] WIGLE: Lat / Long and SSID have been retrived', bold=False)
        return response
      
    def get_lat_lng_by_ssid(self, ssid):
        #Start with Credintial check
        try:
            self.response = send_user_check()
            response = self.check_cred_login()
            if response == 'false':
                print "[*] Unable to validate this user..."
        except:
            #Use this two let user know we had a true login..
            print helpers.color('[*] WIGLE: This user was validated', bold=False)
            pass
               
        try:
            self.query_response = self.send_query_by_SSID(ssid)
            
            #Need to use Try statment since the "message" Key isnt always prsent when conducting query
            try:
                message = self.check_query_limit()
                if message == "too many queries":
                    print "[*]" + message
            except:
                #Use pass since we dont have an error...
                pass
            response = self.parse_response_search()
        except IndexError:
            response = 'ESSID (ESSID) location not known'
            return response
        print helpers.color('[*] WIGLE: Lat / Long and SSID have been retrived', bold=False)
        return response
  
    def agent(self, username, password):
        self.agent = requests.Session()
        self.agent.post('https://wigle.net/api/v1/jsonLogin',
                   data={'credential_0': username,
                         'credential_1': password,
                         'destination': '/https://wigle.net/'})
        
    def mac_address(self):
        mac = hex(getnode())
        mac_bytes = [mac[x:x+2] for x in xrange(0, len(mac), 2)]
        self.mac_address = ':'.join(mac_bytes[1:6])    
    
    def send_query_by_SSID(self, ssid):
        response = self.agent.post(url='https://wigle.net/api/v1/jsonSearch', data={'ssid': ssid,'Query': 'Query'})
        #Check for and handle JSON Errors, due to blank returns
        try: 
            #print "====>>>>"
            #print json.dumps( response.json(), indent=3 )
            #print "<<<<===="
            
            #return response.json()
            return response
        except ValueError:  # includes simplejson.decoder.JSONDecodeError
            print helpers.color('[*] WIGLE: Decoding JSON has failed', bold=False, warning=True)
            print helpers.color('[!] Exiting...', bold=True, warning=True)
            sys.exit()
            
    def send_query_location_by_mac(self, mac_address):
        response = self.agent.post(url='https://wigle.net/api/v1/jsonLocation', data={'netid': mac_address,'Query2': 'Query'})
        #Check for and handle JSON Errors, due to blank returns
        try: 
            return response.json()
        except ValueError:  # includes simplejson.decoder.JSONDecodeError
            print helpers.color('[*] WIGLE: Decoding JSON has failed', bold=False, warning=True)
            print helpers.color('[!] Exiting...', bold=True, warning=True)
            sys.exit()
    
    def send_user_check(self):
        response = self.agent.post()
        return response.json()
    
    # this method does not process the response. it returns the object to the caller
    def parse_response_search(self):
        #print json.dumps( self.query_response.json(), indent=3 )
        return self.query_response
    
    def parse_response_mac(self):
        #print "=================================================="
        #print self.query_response
        #print "=================================================="
        
        lat = self.get_lat()
        lng = self.get_lng()
        bssid = self.get_ssid()
        string = str(self.query_response)
        return {'lat':lat,'lng':lng, 'bssid':bssid, 'description':string}

    def get_lat(self):
        resp_lat = self.query_response['result'][0]['trilat']
        return float(resp_lat)
    
    def get_lng(self):
        resp_lng = self.query_response['result'][0]['trilong']
        return float(resp_lng)
    
    #Request the SSID name of the WIFI point
    def get_ssid(self):
        resp_ssid = self.query_response['result'][0]['ssid']
        return str(resp_ssid)
    
    #Check to see if we reached our limit of 100 querys
    def check_query_limit(self):
        resp_message = self.query_response['message']
        return str(resp_message)
    
    #Check User loign creds
    def check_cred_login(self):
        resp_message = self.query_response['success']
        return str(resp_message)

testWigleAgent.py

#!/usr/bin/env python
import os
import optparse
import urllib
import requests.packages.urllib3
import re
import urlparse
import wigle_query
import json

wa = None

def getLocationByMacID(macid):
    result =  wa.get_lat_lng_by_mac(macid)
    print "=============================="
    
    if ( isinstance(result, dict) ):
        print "SSID: " + result["bssid"]
        print "Latitude: " + str(result["lat"])
        print "Longitude: " + str(result["lng"])
    else:
        print result
    return

def getInformationBySSID(ssid):
    print "=============================="
    # result object needs to call .json() to get the actual dict object back
    result = wa.get_lat_lng_by_ssid(ssid)
    
    data = result.json()
    
    for key, value in data.iteritems():
        if key == "results":
            for entry in value:
                print "BSSID: " + entry["netid"]
                print "ESSID: " + entry["ssid"]
                print "WEP: " + entry["wep"]
                print "Channel: " + entry["channel"]
                print "Latitude: " + entry["trilat"]
                print "Longitude: " + entry["trilong"]
                #print "Lasttime: " + entry["lasttime"]
                print "\n"       
        
    return

def main():
    myusage = "usage: %prog -u <wigle username> -p <wigle_password> -n <macid>"
    #parser = optparse.OptionParser(usage=usage)
    parser = optparse.OptionParser(usage=myusage)
    parser.add_option("-u", dest="username", type="string", help="specify wigle username")
    parser.add_option("-p", dest="password", type="string", help="specify wigle password")
    parser.add_option("-s", dest="ssid", type="string",     help="specify network BSSID")
    parser.add_option("-m", dest="mac", type="string",      help="specify network ESSID")
    #parser.add_option('-a', dest='address', type='string', help='specify address in format address:state:zip')
    
    
    (options, args) = parser.parse_args()
    
    username = options.username
    password = options.password
    ssid = options.ssid
    macid = options.mac
    #address = options.address
    
    if username == None or password == None:
        print parser.usage
        exit(0)
    else:
        requests.packages.urllib3.disable_warnings()
        global wa
        wa = wigle_query.WigleAgent( username, password )
        if macid != None and ssid == None:
            getLocationByMacID(macid)
        elif ssid != None:
            getInformationBySSID(ssid)
        
if __name__ == '__main__':
    main()

helpers.py

#!/usr/bin/env python

import os, sys, types, string, textwrap

def color(string, status=True, warning=False, bold=True, blue=False):
    """
    Change text color for the linux terminal, defaults to green.
    Set "warning=True" for red.
    stolen from Veil :)
    """
    attr = []
    if status:
        # green
        attr.append('32')
    if warning:
        # red
        attr.append('31')
    if bold:
        attr.append('1')
    if blue:
        #blue
        attr.append('34')
    return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)

def formatLong(title, message, frontTab=True, spacing=16):
    """
    Print a long title:message with our standardized formatting.
    Wraps multiple lines into a nice paragraph format.
    """

    lines = textwrap.wrap(textwrap.dedent(message).strip(), width=50)
    returnString = ""

    i = 1
    if len(lines) > 0:
        if frontTab:
            returnString += "\t%s%s" % (('{0: <%s}'%spacing).format(title), lines[0])
        else:
            returnString += " %s%s" % (('{0: <%s}'%(spacing-1)).format(title), lines[0])
    while i < len(lines):
        if frontTab:
            returnString += "\n\t"+' '*spacing+lines[i]
        else:
            returnString += "\n"+' '*spacing+lines[i]
        i += 1
    return returnString

[Kudos to Darren, Seb, Shannon, Sara and crew]

:)

[Any win32 coders that can help answer a question regarding the clipboard API?]

Did some research, and seems that its a user issue.

Since my service is running as a different account, it cannot reach into the clipboard of the active user, as they have a "different" clipboard.

I would need to somehow figure out a way to sign in as that other user from my service. Probably not worth the effort, since the DLL injection works just fine.

[Any win32 coders that can help answer a question regarding the clipboard API?]

Exactly! I'll see if there would be a way for the system level process to get the clipboard as well. I don't see why that would be prevented...

[Any win32 coders that can help answer a question regarding the clipboard API?]

Worked on this a bit today and didn't have any luck.

Starting to suspect maybe some type of permission issue?? although its not a very critical task... just reading the clipboard.

From a goal perspective, I am able to load a dll into memory of target machine and read clipboard that way, but would have been nice to add it to the stage 1 executable.

EDIT:

When the process runs as Local System (service) then does not work. But if it runs as a user who is an admin on the system, then it runs just fine...

[Any win32 coders that can help answer a question regarding the clipboard API?]

I know the text is in ASCII or UTF8 format as i would copy a string like "The monkey" from notepad.

I tried the same code, but having it be injected into memory and it runs then. So something is going on with the process that is first loaded and not the code itself.