mw3demo
-
Posts
133 -
Joined
-
Last visited
-
Days Won
2
Posts posted by mw3demo
-
-
I don't understand it either. Basically, he's arguing that this should ping the heuristic of your antivirus, and therefore it should know when the real thing comes along. However, surely they already have signatures for this, and updates to their own heuristic engines. It doesn't make sense, and doesn't smell right.
Feels like some elaborate social engineering attempt to download his modified exe, which is probably a virus itself and he wants to see if it's detected without submitting to virustotal (and therefore to the AV companies)
-
Looks like a new release will be coming out soon, but even more exciting is the MITMf integration that is on the cards (Unless this is going to be in the next release!). MITMf will replace some of the infusions we have come to love and hate, and replace them with a one stop shop framework. This will hopefully solve some of the issues we were having running multiple infusions impacting the network. Now we will have the best of hardware and software MITM in one sweet pineapple!
Some functionality may not make it due to being CPU intensive (FilePwn), regardless, this is going to be a giant leap!
MITMf V0.9.5
Framework for Man-In-The-Middle attacks
Availible plugins
- Responder - LLMNR, NBT-NS and MDNS poisoner
- SSLstrip+ - Partially bypass HSTS
- Spoof - Redirect traffic using ARP Spoofing, ICMP Redirects or DHCP Spoofing and modify DNS queries
- Sniffer - Sniffs for various protocol login and auth attempts
- BeEFAutorun - Autoruns BeEF modules based on clients OS or browser type
- AppCachePoison - Perform app cache poison attacks
- SessionHijacking - Performs session hijacking attacks, and stores cookies in a firefox profile
- BrowserProfiler - Attempts to enumerate all browser plugins of connected clients
- CacheKill - Kills page caching by modifying headers
- FilePwn - Backdoor executables being sent over http using bdfactory
- Inject - Inject arbitrary content into HTML content
- JavaPwn - Performs drive-by attacks on clients with out-of-date java browser plugins
- jskeylogger - Injects a javascript keylogger into clients webpages
- Replace - Replace arbitary content in HTML content
- SMBAuth - Evoke SMB challenge-response auth attempts
- Upsidedownternet - Flips images 180 degrees
Changelog
Addition of the Sniffer plugin which integrates Net-Creds currently supported protocols are: FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1/v2 (all supported protocols like HTTP, SMB, LDAP etc..) and Kerberos
Integrated Responder to poison LLMNR, NBT-NS and MDNS, and act as a WPAD rogue server.
Integrated SSLstrip+ by Leonardo Nve to partially bypass HSTS as demonstrated at BlackHat Asia 2014
Addition of the SessionHijacking plugin, which uses code from FireLamb to store cookies in a Firefox profile
Spoof plugin now supports ICMP, ARP and DHCP spoofing along with DNS tampering
Spoof plugin can now exploit the 'ShellShock' bug when DHCP spoofing!
Usage of third party tools has been completely removed (e.g. ettercap)
FilePwn plugin re-written to backdoor executables and zip files on the fly by using the-backdoor-factory and code from BDFProxy
Added msfrpc.py for interfacing with Metasploits rpc server
Added beefapi.py for interfacing with BeEF's RESTfulAPI
Addition of the app-cache poisoning attack by Krzysztof Kotowicz (blogpost explaining the attack here http://blog.kotowicz.net/2010/12/squid-imposter-phishing-websites.html)
Links:
https://twitter.com/hak5darren/status/585168796739964928
-
Hey Xcellerator,
I reached out to Seb and Darren over on twitter and a new firmware should be coming out shortly (Also, MITMf integration appear to be on the horizon! This is epic news, it's well coded, and should remove the need for other infusions which weren't running well on the MKV. Not sure if it will land in the next release though!) Hope fully over the next week or so we should see a release.
-
Looks great! Will give it a test! Meanwhile, leverage off this idea with more attacks and keep that ducky quacking! :)
-
You need to change the link to http://www.fruitcovetech.com/updated-911_ap-sh-script-for-your-fakeap-pleasure-updated-for-kali/ vs http://www.fruitcovetech.com/updated-911_ap-sh-script-for-your-fakeap-pleasure-updated-for-kali/?preview=true&preview_id=87&preview_nonce=c9cccc612a
This is because your original link has a preview argument. "You do not have permission to preview drafts."
-
Alright. So your Bit Rate is similar as mine. Lets try this:
1) ssh into your pineapple and run the command "top".
2) Run PineAP and harvester like you were before and any other options you had running
3) Open another ssh session in a seperate window and run: bash -c 'while [ 0 ]; do iwconfig | grep "Bit Rate"; sleep 1; done'
Im curious to see if your Bit Rate drops whilst running. Mine varies between 52 Mb/s to 72.2 Mb/s.. With just PineAp and harvester etc running, the browsing is seamless. As soon as I start ettercap/sslstrip, it gets sluggish then hangs.
On a side note, after I stopped sslstrip and etterca, the nginx process hung and saturated the link between the pineapple and my laptop. When I browsed to 172.16.42.1:1471, I get bad gateay. Only thing todo was reboot the pineapple. I think it's all load related, but in your case you didnt have any infusions running right?
-
Hey there!
Can you post the info you see on the client mode page. Just to be sure as well, your AP and the pineapple are on seperate channels right?
-
Interesting, did not know it got deleted due to a Spanish gag law. No idea what the gov thought they could achieve by doing so.
"Cause the new gag law which criminalized the publication of 'offensive' security tools/techniques I have to delete this repository. You can find good forks on MITMf framework (https://github.com/byt3bl33d3r/MITMf) or MANA rogue AP (https://github.com/sensepost/mana)."
On a side note, MITMf's dev is pretty active, and has plans for additional features (https://github.com/byt3bl33d3r/MITMf/issues) , and he also just did a presentation at Black Hat Asia. I posted a ticket to his repo to see if he was interested in porting to the MKV back in December. He seemed very interested and also by chance, had a MKV already. Some libs were missing that would need to be included, and some functionality would have to be scaled back due to being too resource intensive, but the main parts could work.
He is currently waiting for feedback from Seb/Darren, but they may very well be well along with their own version, or some other problem with officially incorporating such thing legally, commercially, or maybe limitations of the CPU/RAM to get it right, I don't know. I also posted a ticket on Sebs suggestion tracker last month, but no news yet.
I know both Darren and Seb have been traveling a bunch over the past few months, as well as working on the show, so fingers crossed we get some feedback on a new proxy one way or another. :)
Links: MITMf blog: http://sign0f4.blogspot.it/
GitHub: https://github.com/byt3bl33d3r/MITMf
MITMf ticket: https://github.com/byt3bl33d3r/MITMf/issues/31 (Closed pending feedback )
Wifi pineapple ticket: https://www.wifipineapple.com/index.php?portal&bugs&action=view&id=291
-
Cooper! Damnit. Was trying to do some social engineering. I was going to post this:
"This all doesn't sound right, and is very suspicious. Your post screams at me that you are a peadophile. I have never heard of such a horrendous situation as a step father and his friend kidnapping a girl from another mother "teaching some skills and don't lie to us".
I dated girls when I was 6 and onwards. You know what we did? Held hands, laughed and watched TV oh the shock horror. If I heard my wives new partner kidnapped my girl, I would find you and show you what kidnapping is all about, you would beg me to end it. What the hell is wrong in that sick twisted head of yours? Go get some help."
Edit: Either this guy is a peadophile, or is actually a 11 year old himself. Out of curiosity though, how come you replied to him in Dutch Cooper? Anyways $5 says he doesn't reply.
Edit 2: Just looked at his post again and saw that he mentioned he was Dutch.
-
Hi Ken,
This all depends on where you live. What country are you from? A city would be even better because some apps work alot better depending on this due to GPS programming for certain areas.
Greetings,
mw3demo
-
Glad you are now up and running with your ducky! :)
-
I think your problem is the missing delay at the beginning, as the usb is plugged in and needs to load drivers etc. Try adding "DELAY 3000" before "GUI r"
-
Happens to all of us ;)
All the changes / additions we have made can be found in the changelog on the first page.
In regards to a better dnsspoof, we are still working on our MITM proxy which will hopefully be released before the end of the year.
Otherwise, we'll soon have a hangout where we will discuss future features.
Best regards,
Sebkinne
Hey Seb,
Hope you have been well. Thank you for the early Christmas Present! :) I was interested in seeing if a MITM proxy was capable of running on the pineapple. I came acroos the MITMf over at https://github.com/byt3bl33d3r/MITMf/ based on sergio-proxy, and the dev has been really active over the past month. I raised a ticket to see if the dev was interested in seeing if this could run on the MK V. Here is the link to the ticket with the devs replies: https://github.com/byt3bl33d3r/MITMf/issues/31 .
I only just noticed you were already working on one which is great news. The MITMf dev seemed interested in porting this over though (He also owns a MK V), but ran into trouble due to missing libs. Would you be interested in helping port this project onto your firmware?
-
So i have changed the script to work with the PineApple. At this moment the PineApple forwards all the data to my machine (just as it does with the wp5.sh script) and my machine does all the stuff (dns2proxy and sslstrip). I am looking to get this done on the PineApple, so i don't need my machine anymore. But i am not sure if the PineApple is strong enough to do all this stuff on the fly for say - 5 - connected users. My machine had a load of 58% with 6 connected users.
Hey Barney,
Great job! As Cooper said, if it's giving you that sort of load on a laptop/desktop, it will probably be too heavy for the pineapple. Can you share your script and details of the setup?
-
I noticed that sometimes when you press start, it doesn't show you its running, but it is actually enabled. Try refreshing your page 10 seconds after you enable it, it should show it as on.
-
This reminds me, any chance getting ettercap/other packages updated? Updates to the pineapple firmware are great, Sebs done a fanstastic job. The MKV has no problem getting a bunch of clients, recon/scanning is pretty much covered, we now need more tools for exploit and maintaining access.
The current version is 7 years old. I posted this ticket a couple months back: https://wifipineapple.com/?portal&bugs&action=view&id=141 , understand packaging isn't straight forward from link in the ticket, and most of the packages are based on the OpenWrt repository, so it may take some time.
Here is is the changelog from the current OpenWrtw package, 0.7.3, to 0.8.0:
0.8.0-Lacassagne 20130921 !! Fixed some problems in fork and execve usage in case of command failure (sslstrip) !! Fixed dropping privileges for remote_browser plugin ran as root !! Fixed infinite loop when a http GET was issued on the attacker browser, while remote_browser was active !! Fixed some "atexit" bad references !! Fixed plugin load on text interface, if no number were entered !! Fixed problem spotted when ethtool wasn't installed on the machine !! Fixed old "ethereal" references !! Fixed missing newlines in printf !! Switching to ps2pdf as default (from ps2pdf13), it should point to ps2pdf14 on all distros !! Fix cmake file, dropped MACPORTS_BASE_DIRECTORY !! Fix problem in "stopping attacks" window not properly shown in gtk !! Fix problem in wrong pcap file saving !! Fix issue in send_udp function !! Fix problem in libnet rc detection !! Fix restore ip_forward by retrying up to 5 times !! Fix socket issues !! Fix for hex format display !! New send_tcp function, taking payload and length !! Fixed memory leak in remote browser plugin !! Fixed comparison bug in ec_decode !! Fixed UI input for GTK !! Fixed some memory leaks !! Fixed man pages and AUTHORS file !! Fixes in sslstrip plugin !! Many etter.dns fixes !! Many documentation fixes !! A ton of refactors/fixes in Cmake scripts !! Fix GTK crash when scanning hosts !! Fix build failure on Mac OS X 10.6 !! Crash fix in target selection !! Disabled UID change for remote browser plugin !! Fixed remote browser plugin !! A ton of fixes in protocols and dissectors (dhcp, http, ppp, mpls) + New ettercap logo + Renamed help menu to "?", to avoid double "H" shortcut + New WARN_MSG warning message + Added message in DHCP spoofing when no mitm has started + New horizontal scrollbar for messages in gtk view + Disabled offload warning messages (only in Release mode) + New ettercap-pkexec, policy and ettercap.desktop files for launching ettercap -G as a normal user with sudo privileges + Automatic host list refresh in GTK GUI after scanning + New fraggle plugin attack + New fields in etter.fields file + Cherry picked debian patches (svg icon) + Added content print on http dissector + Added support for negative dns replies + Creation of (experimental) unit tests + Creation of (experimental) libettercap + Now you can build just the ettercap library (libettercap) without any GUIs + Added travis-ci support + DNS spoofing for IPv6 addresses + PDF Docs generation is not optional + Added SRV query handling to DNS spoof + New mDNS spoof plugin + New low level decoders + New decoder for ip over pppoe + Added PPP DLT to interfaces + Add experimental Lua support to Ettercap + New Bundle libnet and curl + Full support for wifi decrypting (wep and wpa) - Disabled update feature (not working anymore and not secure) - Deprecated napster dissector 0.7.6-Locard 20130327 !! Fixed some parsing errors !! Fixes to TN3270 dissector and SSL Strip !! PostgreSQL dissector: Update output format to reflect release syntax for John the Ripper 1.7.9-Jumbo-8. The old format is still supported, but deprecated. !! Fixed memory leak in SSL Strip plugin !! Fixed check in invalid ip header !! Fixed QoS packets handling (they aren't dropped anymore) !! Fix in o5logon Heap Corruption !! New and updated OUI file !! Some memory leaks fixed !! Fixed some bugs in return values and fstat failures handling !! Fixed a bug in some password display (didn't get null terminated) !! Many fixes in gcc warnings when building !! Better cmake module to find curl and libnet !! Fixed bug in filters load !! Fixes in HTTP and HTTPs protocols !! Fixed UI deadlock !! Fixes in tcp and http handling (infinite loop and crash) !! Better reads in BGP to avoid invalid reads + New logo + Added ascii FQDN support to DHCP ACK + Added UA parsing to http packets + Added support for IPv4 and IPv6 Tunnels + New mDNS dissector + Added PPI support (per packet information) for wireless captures + Ensure that we find required packages with cmake + New clean-all cmake target + Print a message when done reading PCAP file - Removed 'u' and 'p' fields from etter.fields 0.7.5.3-Assimilation 20130201 !! Fixed ncurses host scan crash (already fixed in 0.7.5.2) !! Fixed ppp connection crash (already fixed in 0.7.5.2) !! Fixed only MiTM mode selecting text interface + Changed to version 0.7.5.3 to help distributions. 0.7.5.2-Assimilation 20130129 !! applied patch to fix CVE-2012-0722 !! fixed username detection in TN3270 dissector + Added new private-key and certificate-file options for SSL MiTM + Fix for crash in ncurses multiple scan for host mode + Fix for crash in ppp0 connections 0.7.5.1-Assimilation 20130103 !! fixed set_blocking() method preventing SSL MiTM from working !! changed SSLStrip plugin to use PCRE !! more improvements to SSLStrip plugin + Added MySQL 5.x dissector + Added O5Logon dissector + Added iSCSI CHAP dissector + Added TN3270 dissector + Added MongoDB dissector 0.7.5-Assimilation 20121015 !! fixed more memory leaks !! improved GTK GUI !! changed build system to CMake. + Added IPv6 poisoning and capture. + Added NBNS spoof plugin. + Added SSLStrip Plugin (EXPERIMENTAL) 0.7.4-Lazarus 20111202 !! fixed resource depletion issue !! buffer access out-of-bounds issues !! fixed DNS dissector not working on 64bit systems !! multiple buffer overflows !! multiple memory leaks !! multiple files with obsolete code !! fixed SEND L3 errors experienced by some users !! fixed a compilation error under Mac OS X Lion !! updated build system (Please see bug track for issue specifics) NG-0.7.4 2005 + added the radius dissector + go into unoffensive mode if libnet initialization fails !! etterfilter now accepts empty blocks !! the log files are closed on SIGTERM !! fixed a compilation error under Mac OS X Tiger !! fixed an improper handling of wdg_dynlist callback !! fixed bound checking in some dissectors
@Barry/hfam: Thanks. Now I am humming a 20+ (?) year old song. Even at points of silence, I feel like Michael is quietly whispering the song into my ear over my shoulder, really looking forward to sleeping tonight. I owe you a beer and a slap. :P Good job on the lyrics between you and hfam. :)
Edit: Spelling
-
@Darren : Any official word?
-
Just saw this post by RMerlin over on smallnetbuilder that may be related:
No. And expect this to become the norm in the future for other routers as well.Quote:Originally Posted by Islandhitman
Will Asuswrt-Merlin change this setting so it can be adjusted higher than 80mW? we do not have the same restrictions as the USA for the power level.
Thanks to the FCC, Asus will be forced to actually encrypt part of the wireless code to prevent end-user tampering. This is actually a REQURIEMENT from the FCC now. Manufacturers are required to ensure that end-users cannot change wireless behaviour or their regulation region through software modifications.__________________
Asuswrt-Merlin: Customized firmware for Asus routers
Github: github.com/RMerl - Twitter: RMerlinDev
See the sticky post for more info. -
Did you install Norton two months ago?
Edit: Some time ago, when I was at university, I was in the same boat as you. It took time, but we got them to ditch Norton. It was horrendous, I had a brand new computer at the time, and after installing Norton it felt like my old machine.
I am assuming that the Norton has some kind of access control for you to connect? What is stopping you uninstalling it and connecting?
-
For the sake of comparison, I've attached my report with the necessary section for you to compare:
Kernel Extensions: [loaded] at.obdev.nke.LittleSnitch (4202 - SDK 10.8) Support Startup Items: ChmodBPF: Path: /Library/StartupItems/ChmodBPF Launch Daemons: [running] at.obdev.littlesnitchd.plist Support [loaded] com.adobe.fpsaud.plist Support [loaded] com.github.dnscrypt-osxclient.DNSCryptAfterboot.plist Support [failed] com.github.dnscrypt-osxclient.DNSCryptConsoleChange.plist Support [loaded] com.github.dnscrypt-osxclient.DNSCryptControlChange.plist Support [loaded] com.github.dnscrypt-osxclient.DNSCryptNetworkChange.plist Support [loaded] com.oracle.java.Helper-Tool.plist Support [loaded] com.oracle.java.JavaUpdateHelper.plist Support [not loaded] com.teamviewer.teamviewer_service.plist Support [loaded] org.macosforge.xquartz.privileged_startx.plist Support Launch Agents: [running] at.obdev.LittleSnitchUIAgent.plist Support [not loaded] com.adobe.AAM.Updater-1.0.plist Support [running] com.github.dnscrypt-osxclient.DNSCryptMenuBar.plist Support [loaded] com.oracle.java.Java-Updater.plist Support [not loaded] com.teamviewer.teamviewer.plist Support [not loaded] com.teamviewer.teamviewer_desktop.plist Support [loaded] org.macosforge.xquartz.startx.plist Support User Launch Agents: [loaded] com.adobe.ARM.[...].plist Support [loaded] com.google.keystone.agent.plist Support User Login Items: iTunesHelper Flux Viscosity Alfred 2 Internet Plug-ins: Unity Web Player: Version: UnityPlayer version 4.3.5f1 - SDK 10.6 Support Default Browser: Version: 537 - SDK 10.9 AdobeAAMDetect: Version: AdobeAAMDetect 1.0.0.0 - SDK 10.6 Support FlashPlayer-10.6: Version: 14.0.0.125 - SDK 10.6 Support AdobePDFViewerNPAPI: Version: 11.0.03 - SDK 10.6 Support Silverlight: Version: 5.1.30317.0 - SDK 10.6 Support Flash Player: Version: 14.0.0.125 - SDK 10.6 Support QuickTime Plugin: Version: 7.7.3 SharePointBrowserPlugin: Version: 14.3.5 - SDK 10.6 Support AdobePDFViewer: Version: 11.0.03 - SDK 10.6 Support JavaAppletPlugin: Version: Java 8 Update 05 Check version Safari Extensions: Adblock Plus: Version: 1.8.3 Audio Plug-ins: BluetoothAudioPlugIn: Version: 1.0 - SDK 10.9 AirPlay: Version: 2.0 - SDK 10.9 AppleAVBAudio: Version: 203.2 - SDK 10.9 iSightAudio: Version: 7.7.3 - SDK 10.9 iTunes Plug-ins: Quartz Composer Visualizer: Version: 1.4 - SDK 10.9 User Internet Plug-ins: Google Earth Web Plug-in: Version: 7.1 Support 3rd Party Preference Panes: DNSCrypt Support Flash Player Support Java Support Time Machine: Time Machine not configured! Top Processes by CPU: 4% PluginProcess 3% coreaudiod 3% vmware-vmx 3% WindowServer 1% fontd Top Processes by Memory: 2.77 GB vmware-vmx 1.26 GB firefox 803 MB PluginProcess 433 MB com.apple.WebKit.WebContent 426 MB WindowServer Virtual Memory Information: 5.14 GB Free RAM 4.85 GB Active RAM 835 MB Inactive RAM 4.50 GB Wired RAM 4.17 GB Page-ins 0 B Page-outs
-
Okay, I did a quick google on the top processes by memory.
Top Processes by Memory:
688 MB SymAutoProtect
328 MB savapi
279 MB nessusd
156 MB softwareupdated
131 MB Safari
SymAutoProtect is part of Norton and is well documented at being a resource hog. Check out this thread regarding norton:
https://discussions.apple.com/thread/1910170?tstart=0 and the uninstaller: https://support.norton.com/sp/en/us/home/current/solutions/kb20080427024142EN_EndUserProfile_en_us
Also "savapi" is part of Avira, and when real time scanning is on, it becomes a hog. See here: https://forum.avira.com/wbb/index.php?page=Thread&threadID=144303
You should shutdown nessusd when you are not using it as well:
To stop nessusd via terminal:
sudo launchctl unload -w /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist
To start nessusd via terminal:
sudo launchctl load -w /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist
I personally would get rid of all the anti virus (You also appear to be running two at the same time), and replace is with clamxav (free). For a firewall, I use Little Snitch.
-
Could if possibly be your antivirus scanning which bumps the load up? Try and install a fan control program such as this http://www.macupdate.com/app/mac/47386/macs-fan-control
Here are my temperatures on auto mode with Kali running, Mail, and a bunch of tabs on Firefox.
-
Post your screen shot from activity monitor, this can happen for a bunch of reasons. From my experience, it is usually a flash plugin or something similar hanging causing the fans to spin.
You can also use this great diagnostic tool for macs called Etrecheck, and paste the output: http://www.macupdate.com/app/mac/48217/etrecheck
-
Hey Seb,
Interesting, and sounds plausible. Just to cover all bases, did you try jow's hack over from openwrt? http://luci.subsignal.org/~jow/reghack/
The reghack utility replaces the regulatory domain rules in the driver binaries with less restrictive ones. The current version also lifts the 5GHz radar channel restrictions in ath9k. This version is made for current OpenWrt trunk. To patch older release like 12.09, use http://luci.subsignal.org/~jow/reghack/old/ . How to use: ssh root@openwrt On ar71xx: cd /tmp/ wget http://luci.subsignal.org/~jow/reghack/reghack.mips.elf chmod +x reghack.mips.elf ./reghack.mips.elf /lib/modules/*/ath.ko ./reghack.mips.elf /lib/modules/*/cfg80211.ko reboot On mpc85xx: cd /tmp/ wget http://luci.subsignal.org/~jow/reghack/reghack.ppc.elf chmod +x reghack.ppc.elf ./reghack.ppc.elf /lib/modules/*/ath.ko ./reghack.ppc.elf /lib/modules/*/cfg80211.ko reboot
Edit: Just a quick note that I forgot to mention, a couple of people were able to reach 20 dBm max with this, that appears to be the final limit. It was a mixed bag from the forum posts, some say it had no impact, others it worked. It may very well be what Seb was suggesting, and the software output isn't the actual.
New firmware coming out soon and MITMf integration on the cards!
in WiFi Pineapple Mark V
Posted