Jump to content


Active Members
  • Posts

  • Joined

  • Last visited

  • Days Won


Posts posted by mw3demo

  1. I don't understand it either. Basically, he's arguing that this should ping the heuristic of your antivirus, and therefore it should know when the real thing comes along. However, surely they already have signatures for this, and updates to their own heuristic engines. It doesn't make sense, and doesn't smell right.

    Feels like some elaborate social engineering attempt to download his modified exe, which is probably a virus itself and he wants to see if it's detected without submitting to virustotal (and therefore to the AV companies)

  2. Looks like a new release will be coming out soon, but even more exciting is the MITMf integration that is on the cards (Unless this is going to be in the next release!). MITMf will replace some of the infusions we have come to love and hate, and replace them with a one stop shop framework. This will hopefully solve some of the issues we were having running multiple infusions impacting the network. Now we will have the best of hardware and software MITM in one sweet pineapple!

    Some functionality may not make it due to being CPU intensive (FilePwn), regardless, this is going to be a giant leap!

    MITMf V0.9.5

    Framework for Man-In-The-Middle attacks

    Availible plugins

    • Responder - LLMNR, NBT-NS and MDNS poisoner
    • SSLstrip+ - Partially bypass HSTS
    • Spoof - Redirect traffic using ARP Spoofing, ICMP Redirects or DHCP Spoofing and modify DNS queries
    • Sniffer - Sniffs for various protocol login and auth attempts
    • BeEFAutorun - Autoruns BeEF modules based on clients OS or browser type
    • AppCachePoison - Perform app cache poison attacks
    • SessionHijacking - Performs session hijacking attacks, and stores cookies in a firefox profile
    • BrowserProfiler - Attempts to enumerate all browser plugins of connected clients
    • CacheKill - Kills page caching by modifying headers
    • FilePwn - Backdoor executables being sent over http using bdfactory
    • Inject - Inject arbitrary content into HTML content
    • JavaPwn - Performs drive-by attacks on clients with out-of-date java browser plugins
    • jskeylogger - Injects a javascript keylogger into clients webpages
    • Replace - Replace arbitary content in HTML content
    • SMBAuth - Evoke SMB challenge-response auth attempts
    • Upsidedownternet - Flips images 180 degrees


    • Addition of the Sniffer plugin which integrates Net-Creds currently supported protocols are: FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1/v2 (all supported protocols like HTTP, SMB, LDAP etc..) and Kerberos

    • Integrated Responder to poison LLMNR, NBT-NS and MDNS, and act as a WPAD rogue server.

    • Integrated SSLstrip+ by Leonardo Nve to partially bypass HSTS as demonstrated at BlackHat Asia 2014

    • Addition of the SessionHijacking plugin, which uses code from FireLamb to store cookies in a Firefox profile

    • Spoof plugin now supports ICMP, ARP and DHCP spoofing along with DNS tampering

    • Spoof plugin can now exploit the 'ShellShock' bug when DHCP spoofing!

    • Usage of third party tools has been completely removed (e.g. ettercap)

    • FilePwn plugin re-written to backdoor executables and zip files on the fly by using the-backdoor-factory and code from BDFProxy

    • Added msfrpc.py for interfacing with Metasploits rpc server

    • Added beefapi.py for interfacing with BeEF's RESTfulAPI

    • Addition of the app-cache poisoning attack by Krzysztof Kotowicz (blogpost explaining the attack here http://blog.kotowicz.net/2010/12/squid-imposter-phishing-websites.html)





  3. Hey Xcellerator,

    I reached out to Seb and Darren over on twitter and a new firmware should be coming out shortly (Also, MITMf integration appear to be on the horizon! This is epic news, it's well coded, and should remove the need for other infusions which weren't running well on the MKV. Not sure if it will land in the next release though!) Hope fully over the next week or so we should see a release.



  4. Alright. So your Bit Rate is similar as mine. Lets try this:

    1) ssh into your pineapple and run the command "top".

    2) Run PineAP and harvester like you were before and any other options you had running

    3) Open another ssh session in a seperate window and run: bash -c 'while [ 0 ]; do iwconfig | grep "Bit Rate"; sleep 1; done'

    Im curious to see if your Bit Rate drops whilst running. Mine varies between 52 Mb/s to 72.2 Mb/s.. With just PineAp and harvester etc running, the browsing is seamless. As soon as I start ettercap/sslstrip, it gets sluggish then hangs.

    On a side note, after I stopped sslstrip and etterca, the nginx process hung and saturated the link between the pineapple and my laptop. When I browsed to, I get bad gateay. Only thing todo was reboot the pineapple. I think it's all load related, but in your case you didnt have any infusions running right?

  5. Interesting, did not know it got deleted due to a Spanish gag law. No idea what the gov thought they could achieve by doing so.

    "Cause the new gag law which criminalized the publication of 'offensive' security tools/techniques I have to delete this repository. You can find good forks on MITMf framework (https://github.com/byt3bl33d3r/MITMf) or MANA rogue AP (https://github.com/sensepost/mana)."

    On a side note, MITMf's dev is pretty active, and has plans for additional features (https://github.com/byt3bl33d3r/MITMf/issues) , and he also just did a presentation at Black Hat Asia. I posted a ticket to his repo to see if he was interested in porting to the MKV back in December. He seemed very interested and also by chance, had a MKV already. Some libs were missing that would need to be included, and some functionality would have to be scaled back due to being too resource intensive, but the main parts could work.

    He is currently waiting for feedback from Seb/Darren, but they may very well be well along with their own version, or some other problem with officially incorporating such thing legally, commercially, or maybe limitations of the CPU/RAM to get it right, I don't know. I also posted a ticket on Sebs suggestion tracker last month, but no news yet.

    I know both Darren and Seb have been traveling a bunch over the past few months, as well as working on the show, so fingers crossed we get some feedback on a new proxy one way or another. :)

    Links: MITMf blog: http://sign0f4.blogspot.it/

    GitHub: https://github.com/byt3bl33d3r/MITMf

    MITMf ticket: https://github.com/byt3bl33d3r/MITMf/issues/31 (Closed pending feedback )

    Wifi pineapple ticket: https://www.wifipineapple.com/index.php?portal&bugs&action=view&id=291

  6. Cooper! Damnit. Was trying to do some social engineering. I was going to post this:

    "This all doesn't sound right, and is very suspicious. Your post screams at me that you are a peadophile. I have never heard of such a horrendous situation as a step father and his friend kidnapping a girl from another mother "teaching some skills and don't lie to us".

    I dated girls when I was 6 and onwards. You know what we did? Held hands, laughed and watched TV oh the shock horror. If I heard my wives new partner kidnapped my girl, I would find you and show you what kidnapping is all about, you would beg me to end it. What the hell is wrong in that sick twisted head of yours? Go get some help."

    Edit: Either this guy is a peadophile, or is actually a 11 year old himself. Out of curiosity though, how come you replied to him in Dutch Cooper? Anyways $5 says he doesn't reply.

    Edit 2: Just looked at his post again and saw that he mentioned he was Dutch.

  7. Happens to all of us ;)

    All the changes / additions we have made can be found in the changelog on the first page.

    In regards to a better dnsspoof, we are still working on our MITM proxy which will hopefully be released before the end of the year.

    Otherwise, we'll soon have a hangout where we will discuss future features.

    Best regards,


    Hey Seb,

    Hope you have been well. Thank you for the early Christmas Present! :) I was interested in seeing if a MITM proxy was capable of running on the pineapple. I came acroos the MITMf over at https://github.com/byt3bl33d3r/MITMf/ based on sergio-proxy, and the dev has been really active over the past month. I raised a ticket to see if the dev was interested in seeing if this could run on the MK V. Here is the link to the ticket with the devs replies: https://github.com/byt3bl33d3r/MITMf/issues/31 .

    I only just noticed you were already working on one which is great news. The MITMf dev seemed interested in porting this over though (He also owns a MK V), but ran into trouble due to missing libs. Would you be interested in helping port this project onto your firmware?

  8. So i have changed the script to work with the PineApple. At this moment the PineApple forwards all the data to my machine (just as it does with the wp5.sh script) and my machine does all the stuff (dns2proxy and sslstrip). I am looking to get this done on the PineApple, so i don't need my machine anymore. But i am not sure if the PineApple is strong enough to do all this stuff on the fly for say - 5 - connected users. My machine had a load of 58% with 6 connected users.

    Hey Barney,

    Great job! As Cooper said, if it's giving you that sort of load on a laptop/desktop, it will probably be too heavy for the pineapple. Can you share your script and details of the setup?

  9. This reminds me, any chance getting ettercap/other packages updated? Updates to the pineapple firmware are great, Sebs done a fanstastic job. The MKV has no problem getting a bunch of clients, recon/scanning is pretty much covered, we now need more tools for exploit and maintaining access.

    The current version is 7 years old. I posted this ticket a couple months back: https://wifipineapple.com/?portal&bugs&action=view&id=141 , understand packaging isn't straight forward from link in the ticket, and most of the packages are based on the OpenWrt repository, so it may take some time.

    Here is is the changelog from the current OpenWrtw package, 0.7.3, to 0.8.0:

    0.8.0-Lacassagne 20130921
    !! Fixed some problems in fork and execve usage in case of command failure (sslstrip)
    !! Fixed dropping privileges for remote_browser plugin ran as root
    !! Fixed infinite loop when a http GET was issued on the attacker browser, while remote_browser was active
    !! Fixed some "atexit" bad references
    !! Fixed plugin load on text interface, if no number were entered
    !! Fixed problem spotted when ethtool wasn't installed on the machine
    !! Fixed old "ethereal" references
    !! Fixed missing newlines in printf
    !! Switching to ps2pdf as default (from ps2pdf13), it should point to ps2pdf14 on all distros
    !! Fix cmake file, dropped MACPORTS_BASE_DIRECTORY
    !! Fix problem in "stopping attacks" window not properly shown in gtk
    !! Fix problem in wrong pcap file saving
    !! Fix issue in send_udp function
    !! Fix problem in libnet rc detection
    !! Fix restore ip_forward by retrying up to 5 times
    !! Fix socket issues
    !! Fix for hex format display
    !! New send_tcp function, taking payload and length
    !! Fixed memory leak in remote browser plugin
    !! Fixed comparison bug in ec_decode
    !! Fixed UI input for GTK
    !! Fixed some memory leaks
    !! Fixed man pages and AUTHORS file
    !! Fixes in sslstrip plugin
    !! Many etter.dns fixes
    !! Many documentation fixes
    !! A ton of refactors/fixes in Cmake scripts
    !! Fix GTK crash when scanning hosts
    !! Fix build failure on Mac OS X 10.6
    !! Crash fix in target selection
    !! Disabled UID change for remote browser plugin
    !! Fixed remote browser plugin
    !! A ton of fixes in protocols and dissectors (dhcp, http, ppp, mpls)
    + New ettercap logo
    + Renamed help menu to "?", to avoid double "H" shortcut
    + New WARN_MSG warning message
    + Added message in DHCP spoofing when no mitm has started
    + New horizontal scrollbar for messages in gtk view
    + Disabled offload warning messages (only in Release mode)
    + New ettercap-pkexec, policy and ettercap.desktop files for launching ettercap -G as a normal user with sudo privileges
    + Automatic host list refresh in GTK GUI after scanning
    + New fraggle plugin attack
    + New fields in etter.fields file
    + Cherry picked debian patches (svg icon)
    + Added content print on http dissector
    + Added support for negative dns replies
    + Creation of (experimental) unit tests
    + Creation of (experimental) libettercap
    + Now you can build just the ettercap library (libettercap) without any GUIs
    + Added travis-ci support
    + DNS spoofing for IPv6 addresses
    + PDF Docs generation is not optional
    + Added SRV query handling to DNS spoof
    + New mDNS spoof plugin
    + New low level decoders
    + New decoder for ip over pppoe
    + Added PPP DLT to interfaces
    + Add experimental Lua support to Ettercap
    + New Bundle libnet and curl
    + Full support for wifi decrypting (wep and wpa)
    - Disabled update feature (not working anymore and not secure)
    - Deprecated napster dissector
    0.7.6-Locard 20130327
    !! Fixed some parsing errors
    !! Fixes to TN3270 dissector and SSL Strip
    !! PostgreSQL dissector: Update output format to reflect release syntax
    for John the Ripper 1.7.9-Jumbo-8. The old format is still supported,
    but deprecated.
    !! Fixed memory leak in SSL Strip plugin
    !! Fixed check in invalid ip header
    !! Fixed QoS packets handling (they aren't dropped anymore)
    !! Fix in o5logon Heap Corruption
    !! New and updated OUI file
    !! Some memory leaks fixed
    !! Fixed some bugs in return values and fstat failures handling
    !! Fixed a bug in some password display (didn't get null terminated)
    !! Many fixes in gcc warnings when building
    !! Better cmake module to find curl and libnet
    !! Fixed bug in filters load
    !! Fixes in HTTP and HTTPs protocols
    !! Fixed UI deadlock
    !! Fixes in tcp and http handling (infinite loop and crash)
    !! Better reads in BGP to avoid invalid reads
    + New logo
    + Added ascii FQDN support to DHCP ACK
    + Added UA parsing to http packets
    + Added support for IPv4 and IPv6 Tunnels
    + New mDNS dissector
    + Added PPI support (per packet information) for wireless captures
    + Ensure that we find required packages with cmake
    + New clean-all cmake target
    + Print a message when done reading PCAP file
    - Removed 'u' and 'p' fields from etter.fields 20130201
    !! Fixed ncurses host scan crash (already fixed in
    !! Fixed ppp connection crash (already fixed in
    !! Fixed only MiTM mode selecting text interface
    + Changed to version to help distributions. 20130129
    !! applied patch to fix CVE-2012-0722
    !! fixed username detection in TN3270 dissector
    + Added new private-key and certificate-file options for SSL MiTM
    + Fix for crash in ncurses multiple scan for host mode
    + Fix for crash in ppp0 connections 20130103
    !! fixed set_blocking() method preventing SSL MiTM from working
    !! changed SSLStrip plugin to use PCRE
    !! more improvements to SSLStrip plugin
    + Added MySQL 5.x dissector
    + Added O5Logon dissector
    + Added iSCSI CHAP dissector
    + Added TN3270 dissector
    + Added MongoDB dissector
    0.7.5-Assimilation 20121015
    !! fixed more memory leaks
    !! improved GTK GUI
    !! changed build system to CMake.
    + Added IPv6 poisoning and capture.
    + Added NBNS spoof plugin.
    + Added SSLStrip Plugin (EXPERIMENTAL)
    0.7.4-Lazarus 20111202
    !! fixed resource depletion issue
    !! buffer access out-of-bounds issues
    !! fixed DNS dissector not working on 64bit systems
    !! multiple buffer overflows
    !! multiple memory leaks
    !! multiple files with obsolete code
    !! fixed SEND L3 errors experienced by some users
    !! fixed a compilation error under Mac OS X Lion
    !! updated build system
    (Please see bug track for issue specifics)
    NG-0.7.4 2005
    + added the radius dissector
    + go into unoffensive mode if libnet initialization fails
    !! etterfilter now accepts empty blocks
    !! the log files are closed on SIGTERM
    !! fixed a compilation error under Mac OS X Tiger
    !! fixed an improper handling of wdg_dynlist callback
    !! fixed bound checking in some dissectors

    @Barry/hfam: Thanks. Now I am humming a 20+ (?) year old song. Even at points of silence, I feel like Michael is quietly whispering the song into my ear over my shoulder, really looking forward to sleeping tonight. I owe you a beer and a slap. :P Good job on the lyrics between you and hfam. :)

    Edit: Spelling

  10. Just saw this post by RMerlin over on smallnetbuilder that may be related:

    Originally Posted by Islandhitman viewpost.gif
    Will Asuswrt-Merlin change this setting so it can be adjusted higher than 80mW? we do not have the same restrictions as the USA for the power level.
    No. And expect this to become the norm in the future for other routers as well.

    Thanks to the FCC, Asus will be forced to actually encrypt part of the wireless code to prevent end-user tampering. This is actually a REQURIEMENT from the FCC now. Manufacturers are required to ensure that end-users cannot change wireless behaviour or their regulation region through software modifications.
    Asuswrt-Merlin: Customized firmware for Asus routers
    Github: github.com/RMerl - Twitter: RMerlinDev
    See the sticky post for more info.
  11. Did you install Norton two months ago?

    Edit: Some time ago, when I was at university, I was in the same boat as you. It took time, but we got them to ditch Norton. It was horrendous, I had a brand new computer at the time, and after installing Norton it felt like my old machine.

    I am assuming that the Norton has some kind of access control for you to connect? What is stopping you uninstalling it and connecting?

  12. For the sake of comparison, I've attached my report with the necessary section for you to compare:

    Kernel Extensions:
    	[loaded]	at.obdev.nke.LittleSnitch (4202 - SDK 10.8) Support
    Startup Items:
    	ChmodBPF: Path: /Library/StartupItems/ChmodBPF
    Launch Daemons:
    	[running]	at.obdev.littlesnitchd.plist Support
    	[loaded]	com.adobe.fpsaud.plist Support
    	[loaded]	com.github.dnscrypt-osxclient.DNSCryptAfterboot.plist Support
    	[failed]	com.github.dnscrypt-osxclient.DNSCryptConsoleChange.plist Support
    	[loaded]	com.github.dnscrypt-osxclient.DNSCryptControlChange.plist Support
    	[loaded]	com.github.dnscrypt-osxclient.DNSCryptNetworkChange.plist Support
    	[loaded]	com.oracle.java.Helper-Tool.plist Support
    	[loaded]	com.oracle.java.JavaUpdateHelper.plist Support
    	[not loaded]	com.teamviewer.teamviewer_service.plist Support
    	[loaded]	org.macosforge.xquartz.privileged_startx.plist Support
    Launch Agents:
    	[running]	at.obdev.LittleSnitchUIAgent.plist Support
    	[not loaded]	com.adobe.AAM.Updater-1.0.plist Support
    	[running]	com.github.dnscrypt-osxclient.DNSCryptMenuBar.plist Support
    	[loaded]	com.oracle.java.Java-Updater.plist Support
    	[not loaded]	com.teamviewer.teamviewer.plist Support
    	[not loaded]	com.teamviewer.teamviewer_desktop.plist Support
    	[loaded]	org.macosforge.xquartz.startx.plist Support
    User Launch Agents:
    	[loaded]	com.adobe.ARM.[...].plist Support
    	[loaded]	com.google.keystone.agent.plist Support
    User Login Items:
    	Alfred 2
    Internet Plug-ins:
    	Unity Web Player: Version: UnityPlayer version 4.3.5f1 - SDK 10.6 Support
    	Default Browser: Version: 537 - SDK 10.9
    	AdobeAAMDetect: Version: AdobeAAMDetect - SDK 10.6 Support
    	FlashPlayer-10.6: Version: - SDK 10.6 Support
    	AdobePDFViewerNPAPI: Version: 11.0.03 - SDK 10.6 Support
    	Silverlight: Version: 5.1.30317.0 - SDK 10.6 Support
    	Flash Player: Version: - SDK 10.6 Support
    	QuickTime Plugin: Version: 7.7.3
    	SharePointBrowserPlugin: Version: 14.3.5 - SDK 10.6 Support
    	AdobePDFViewer: Version: 11.0.03 - SDK 10.6 Support
    	JavaAppletPlugin: Version: Java 8 Update 05 Check version
    Safari Extensions:
    	Adblock Plus: Version: 1.8.3
    Audio Plug-ins:
    	BluetoothAudioPlugIn: Version: 1.0 - SDK 10.9
    	AirPlay: Version: 2.0 - SDK 10.9
    	AppleAVBAudio: Version: 203.2 - SDK 10.9
    	iSightAudio: Version: 7.7.3 - SDK 10.9
    iTunes Plug-ins:
    	Quartz Composer Visualizer: Version: 1.4 - SDK 10.9
    User Internet Plug-ins:
    	Google Earth Web Plug-in: Version: 7.1 Support
    3rd Party Preference Panes:
    	DNSCrypt  Support
    	Flash Player  Support
    	Java  Support
    Time Machine:
    	Time Machine not configured!
    Top Processes by CPU:
    	     4%	PluginProcess
    	     3%	coreaudiod
    	     3%	vmware-vmx
    	     3%	WindowServer
    	     1%	fontd
    Top Processes by Memory:
    	2.77 GB	vmware-vmx
    	1.26 GB	firefox
    	803 MB	PluginProcess
    	433 MB	com.apple.WebKit.WebContent
    	426 MB	WindowServer
    Virtual Memory Information:
    	5.14 GB	Free RAM
    	4.85 GB	Active RAM
    	835 MB	Inactive RAM
    	4.50 GB	Wired RAM
    	4.17 GB	Page-ins
    	0 B	Page-outs
  13. Okay, I did a quick google on the top processes by memory.

    Top Processes by Memory:

    688 MB SymAutoProtect

    328 MB savapi

    279 MB nessusd

    156 MB softwareupdated

    131 MB Safari

    SymAutoProtect is part of Norton and is well documented at being a resource hog. Check out this thread regarding norton:

    https://discussions.apple.com/thread/1910170?tstart=0 and the uninstaller: https://support.norton.com/sp/en/us/home/current/solutions/kb20080427024142EN_EndUserProfile_en_us

    Also "savapi" is part of Avira, and when real time scanning is on, it becomes a hog. See here: https://forum.avira.com/wbb/index.php?page=Thread&threadID=144303

    You should shutdown nessusd when you are not using it as well:

    To stop nessusd via terminal:

    sudo launchctl unload -w /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist

    To start nessusd via terminal:

    sudo launchctl load -w /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist

    I personally would get rid of all the anti virus (You also appear to be running two at the same time), and replace is with clamxav (free). For a firewall, I use Little Snitch.



  14. Hey Seb,

    Interesting, and sounds plausible. Just to cover all bases, did you try jow's hack over from openwrt? http://luci.subsignal.org/~jow/reghack/

    The reghack utility replaces the regulatory domain rules in the driver binaries
    with less restrictive ones. The current version also lifts the 5GHz radar
    channel restrictions in ath9k.
    This version is made for current OpenWrt trunk. To patch older release like 12.09,
    use http://luci.subsignal.org/~jow/reghack/old/ .
    How to use:
    ssh root@openwrt
    On ar71xx:
    cd /tmp/
    wget http://luci.subsignal.org/~jow/reghack/reghack.mips.elf
    chmod +x reghack.mips.elf
    ./reghack.mips.elf /lib/modules/*/ath.ko
    ./reghack.mips.elf /lib/modules/*/cfg80211.ko
    On mpc85xx:
    cd /tmp/
    wget http://luci.subsignal.org/~jow/reghack/reghack.ppc.elf
    chmod +x reghack.ppc.elf
    ./reghack.ppc.elf /lib/modules/*/ath.ko
    ./reghack.ppc.elf /lib/modules/*/cfg80211.ko

    Edit: Just a quick note that I forgot to mention, a couple of people were able to reach 20 dBm max with this, that appears to be the final limit. It was a mixed bag from the forum posts, some say it had no impact, others it worked. It may very well be what Seb was suggesting, and the software output isn't the actual.

  • Create New...