mondrianaire
-
Posts
33 -
Joined
-
Last visited
-
Days Won
3
Posts posted by mondrianaire
-
-
I'm sorry guys, ill get back on this in a day or so. Black Ops came out.
-
Flashing any firmware available at wifipineapple.com will reset your pineapple to 'factory'.
-
I am finished with the first review of my project, I have started another thread on it. You can see screenshots as well as give me some feedback and download the module as soon as it comes available there.
Thanks.
-
I am almost finished with v0.1 of my offline phishing module. The premise of this module is simple. You set the ssid of an open wireless network (Free Public Wifi, etc.) When enabled, all requests will be forwarded to a 'walled garden' splash page. This will inform the viewer that they have limited access to only certain pages, and will give links to these pages. Every one of these pages are phishing pages that you can upload to the module (even your own!).
Since all phishing pages are hosted locally, this module is intended to work all of the time, without internet access. It gives the user the impression that they are connecting to pages on the internet, yet all credentials are harvested.
Another beautiful thing about this module is how little hardware it uses. I have been known to have up to 3 usb wifi cards plugged into my pineapple while using for deauth/wifi repeating etc... This module can be used with only a properly formatted flash drive, eliminating a need for a usb hub (and the extra power it consumes).
I need Seb or someone at wifipineapple.com to verify me for module submission.
I also would like to talk to Petertfm about this module. I have reused (embarrassingly large amounts of) his code from his RandomRoll module in this. Our modules are extremely similar in both frontend and backend. I would like to ask him a couple of questions/ get him to sign off on the parts of his code I used before making this public. I have tried to message him but he does not accept messages. Petertfm if you read this, please send me a message or an email at my uname [at] gmail.
-
I have been working on a module extremely similar to this. The only difference is that there is no reason this sort of module should not be able to work offline. The idea is simple. Change SSID to "Free Public Wifi". Reroute (dnsspoof) all traffic to 172.16.42.1. Default landing page is a walled garden page explaining that free internet access is limited to a certain number of websites, and give links to all websites (all of these websites are phishing pages). Perhaps even put in a clause about unlimited internet access for 'Premium Members'. You have to modify most phishing pages by downloading all the dependencies and referencing them locally, but after that, you have an fully enclosed offline credential harvester. You can keep it running all day, in your backpack or something, riding the train, on a bus, airports, etc.. You get the drift.
On a more technical note:
The main problem that I am running into is the Network Connection Status Indicator (the systray icon for wireless) that will indicate the user that they do not have internet access. A bit of digging and a great superuser post (http://blog.superuser.com/2011/05/16/windows-7-network-awareness/) shows that the way Windows detects Internet access is first by requesting a text file (http://www.msftncsi.com/ncsi.txt) , If this fails, it tries to DNS resolve dns.msftncsi.com. If both of these fail, the internet connection will show no internet access. if the second passes, but the first fails, NCSI will display a message 'Additional log on information is required', which is really the best were going to get with a pineapple, unless someone knows how to make the pineapple both resolve dns correctly, and respond to requests heading for that ip.
-
That worked Seb. Upgraded and everything is fine. Having some monitor mode problems now but Ill save that for a new thread. Thanks for everything
-
I may be misunderstanding the entire process behind this, but I do not understand how an ettercap filter would be the best way to do this.
If I am correct, it is javascript that is doing the keylogging and reporting, and an iframe just displays the rest of the pages. If this is the case, would it not be easier to redirect all dns queries to a landing page that loads the javascript and then referral page in an iframe? This would not be a 'true' keylogger as it would only work while in a browser on a box connected to the pineapple, but it is far more than a 'credentials grabber' as some are suggesting.
From looking at the screenshots, this is exactly what the module looks like it is doing. All queries are being redirected to pineapple: "172.16.42.1 *" the landing page is redirecting to login.php (which would house the javascript and referrer iframe redirect), and then the keylogger part is just reading a file.
The implementation of this is a keylogger that will work on any webpage in a browser. It will grab all creds as well as emails, forum posts, things of the such.
...right?
-
Browsing downloads.openwrt.org shows that the snapshots trunk is cut off (pun intended)?
-
Pineapple Hardware Version (ex: Mark III, Mark IV, etc.): Mark4
- Pineapple Software Version (ex: 2.5.0, 2.6.4):
2.6.3
- OS used to connect to the pineapple:
Win7
- Network layout of how your setup is connected (including IP information):
Pineapple gets internet from LAN/POE port connected to laptop. Can resolve domains from ssh interface of pineapple. (ping www.google.com resolves and responds) EDIT: this also happens when using an external adapter to supply wireless internet (wlan1 - AWUS036NH).
- All the tools/options that are running on the pineapple when the issue happened:
Wireless and Cron are the only modules running
- Ping results from computer to pineapple:
Pinging 172.16.42.1 with 32 bytes of data:
Reply from 172.16.42.1: bytes=32 time=1ms TTL=64
Reply from 172.16.42.1: bytes=32 time<1ms TTL=64
Reply from 172.16.42.1: bytes=32 time<1ms TTL=64
Reply from 172.16.42.1: bytes=32 time<1ms TTL=64
Ping statistics for 172.16.42.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
- Is the problem repeatable (Yes/No):
Yes, happens on reboot
- Steps taken which created the problem:
SSH to pineapple -> login -> opkg update
- Error Messages:
Downloading http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/Packages.gz.
wget: server returned error: HTTP/1.1 404 Not Found
Collected errors:
* opkg_download: Failed to download http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/Packages.gz, wget returned 1.
- Anything else that was attempted to 'fix' the problem:
Navigating to the packages.gz url from a browser gives 404.
--------------------
Hopefully this is me being a complete idiot, but I cannot seem to update packages on the pineapple. I have tried this on 2 separate internet connections just to be sure.
- Pineapple Software Version (ex: 2.5.0, 2.6.4):
-
As far as I have experienced. Both work without problems on Backtrack and Windows 7.
The issue is with USB passthrough to a VM currently.
What issues with USB passthrough? in VMware? I have no issues with USB passthrough with either adapter, if I plug them in after VM has started and with USB filters.
-
Yeah, I think most OS'es store some kind of a DNS cache, therefore I always use ipconfig /flushdns and ipconfig /renew in my Windows OS. May not need both commands, but I like to do both. And I also have as a habit to run a ping to test it.
yes, not only do os's handle dns caching differently, so do browsers. Trying a different browser (winkey + R, iexplore.exe :()
In my understanding DNS spoof is actually like a regular DNS service, it's broadcasted as the DNS server by DHCP, and every DNS request should go to DNS spoof, right? And the addresses that DNS spoof is configured with should be consistent. And only the requests that DNS spoof is not configured with should be sent to like opendns.
This is mostly correct. It is true that the DNS is set by DHCP, but this is the case weather DNSspoof is running or not. The trick is that the pineapple is also a DNS forwarder. The way DNS works is by a series of redirects until the query finds the correct (authoritative) server. DNSspoof works by not forwarding dns queries for specific sites (the ones you configure in the settings). All other queries going through the pineapple are forwarded to the next DNS server, which I believe is google public dns (8.8.8.8 & 8.8.4.4), or to the DNS server handed out by the WAN DHCP lease of the pineapple. It is this reason that dnsspoofing will not work on a target with static DNS set.
Anyways, isn't the log that dns spoof creates a kind of "copy" of dns spoof's output? Like when the log shows an opendns ip, I think that DNS Spoof is telling the victim to use the opendns ip. I would rather have DNS spoof not sending ANY ip, if it's unable to send the pineapple's ip.
so are you saying that if someone requests a page that is not in your dnsspoof records, you do not want to forward it? You could do this by simply not connecting the pineapple to the internet (standalone mode).
-
and another thing to mention is that some devices save the ip for a dns record and bypass dnsspoof/dns
Absolutely true. However a dns flush should take care of the problem for troubleshooting. Also, the easiest way to test this is with a simple ping. If you ping the domain from commandline, you can see what ip it resolves to. This takes a whole lot of variables out of the equation (i.e. browsers. etc.)
-
the NH is definitely oob & monitor/injection capable.
The NHR will need some configuration to work, but it is verified working. http://store.rokland.com/blogs/news/3821712-alfa-awus036nhr-is-backtrack-5-linux-compatible
-
You could create a shell script to start reaver on a given access point (reaver -i mon0 -b [bssid]) and then execute the script when the button is pushed.
You would just need to preconfigure the correct bssid in your script.
-
Okey, I'm not sure which thread I should use since there are so many threads about DNSspoof, but I'll give this one a go.
So I've been experiencing some hickups with dns spoof, meaning that sometimes it's redirecting to the pineapple, and sometimes it's showing the real site. I've actually setteled with this behaviour since I thought it might have to be like this.
However, now I have seen in the dnsspoof log that it's forwarding to an external site(see the spoiler for details) and I'm beginning to wonder why this is happening? As far as I understand I think this is a server from opendns, but is this something that the pineapple is programmed to do? Is it supposed to act like this? If not, what could I do to change this behaviour?
Alright, I was having a lot of the same problems and have come to some information about what may be going on.
In a lot of my test situations, I was connecting to the pineapple, then turning dnsspoof on, then testing my sites. I have realized that there is a potential flaw with this. I believe I remember hearing a while ago, that the way Windows handles DNS is a bit wonky. If a primary DNS server fails to respond at any one time, I believe it switches to secondary DNS until that one fails and then it reverts. I realized this when, looking through my dnsspoof logs, I was finding the same things you were. I was interested in where the DNS queries were going, as they were not addressed to the pineapple(172.16.42.1) but some other dns server (in my case openDNS). an Ipconfig on my victim machine shows the pineapple as primary dns and openDNS as secondary. so either one of two things is happening.
Dnsspoof is failing to spoof correct dns and instead is forwarding to opendns
or
windows has detected that the pineapple's dns has failed and has started reverting to secondary dns
My problem with the second is that the dns records are still in dnsspoof's logs. I am not familiar with the intricacies of dnsspoof's logging function, but I do know that dnsspoof does not log dns requests it does not touch. For example if your hosts file has the line '172.16.42.1 *.example.com' any requests NOT to example.com will not show up in the spoof log, so perhaps something in dnsspoof is broken?
-
+1?
-
Clear browser cache ;)
When you ssh into pineapple you can see the fw version in the welcome banner :)
-Its accessed by a new url, so the browser would not cache the page load page from cache
-the welcome banner only shows minor release version (2.6), not revision numbers.
EDIT:*load page from cache
-
I upgraded to the new fw version, verified by all my settings being reset and not being able to access the UI from 172.16.42.1/pineapple/ however on the upgrade page, it still is showing current fw as 2.6.3. Just a bug?
I remember there being a way to check fw version from cli but I forgot. Sorry I could not be more useful.
-
mdk3 seems to work fine on mine, although I havent looked into the channel hopping issue.
My problem is with practicality. Using MDK3 for deauthing with the pineapple only will work well if tethered to an android, using a wired connection, or 3g dongle. Most of my setups involve 2 external adapters to my pineapple. You have the pineapples wifi radio for lan, one used in client mode for internet access and a third for deauth attacks. The main problem with using MDK3 is that it only can whitelist/blacklist AP's, not stations.
Give this scenario. There is an AP, with multiple clients connected. I come in with my pineapple, use one of the external radios to connect to the AP, then use the other radio to deauth. What do I deauth? If I deauth the AP, then my pineapple will lose internet access. If I dont, they have no reason to break current association, and will never connect to the pineapple.
That is where airdrop is *supposed* to come in. Airdrop takes live output for the clients that are connected and can handle both AP & client rules together. Therefore you can set up a scenario where noone else can connect to any ap, except your pineapple. But your WAN adapter on your pineapple can still connect to some rogue AP. But as petertfm has said before, figuring out the dependencies for airdrop is next to impossible.
Given this scenario, using mdk3 is relatively useless. I dont care about anyone connecting to other access points, I just want everyone but my pineapple to be kicked from the access point, which is not possible without client-based rules.
Am I missing something? How is everyone else using mdk3? Is it useful or just trying to get it working?
-
After 2.6.3, I was able to finally get my adapter working with the pineapple so I downloaded this and have not been able to get it to work yet, just wondering what I am doing wrong.
I follow everything Neoworld said,
Autodetect finds my adapter
I configure the security for the access point
click save
everything reloads, my adapter is still up
click commit
my adapter disappears, and is no longer up
I have to bring the adapter back up manually (i.e. ifconfig wlan1 up)
*sometimes it even reassigns the adapter to increment wlan (i.e. wlan2)
any ideas?
-
I will wait for that to continue then!
Cheers
-
also to add on this, it not just the nyan files that are just the issues....it all of them , all the landing pages...and phishing sites do not come up with the right images.
From your screenshots, like petertfm said, your url is local (from your C:/ drive) not from 172.16.42.1 (pineapple). You are looking at cached copies of the website. I am not saying check the image from the usb drive. I am saying, try to pull up the direct image link from your pineapple.
Submit a screenshot from your browser with the problem. Make sure that it has 172.16.42.1 in the url.
-
Seb. I can't thank you enough. I just downloaded 2.6.3 and the feeling of relief that I got when I plugged in my AWUS036NH and finally saw it listed under iw list. I was set up and ready to just go buy an AWUS036H so that I could get this thing completely wireless.
You sir, have made my day.
-
Also, As I have been going on, a couple of styles seem to be hard coded into the html (i.e. <b style="css:asdf;">)
The textarea boxes on the config page
status notifications ( current mode for black/whitelisting | reset button is enabled)
ill add any more if I see them
These can be changed by adding a class to the elements and defining that class in the custom css.
Want to buy: Toorcon14 Badge
in Trading Post
Posted
I love it when people actually come back to post solutions to problems they start threads on.