-
Posts
29 -
Joined
-
Last visited
Posts posted by Urieal
-
-
Greetings all,
Recently recovered several hashes during a recent engagement - cracked all but one.
Anyone care to take a stab? It's an NTHASH, I've tried hashcat, rainbowtables via oph still no dice
HASH:
59658e5f44d88ec0ff7b40cfcb21ecc2
-
Unplugged - Look into PhishMe - Great Product, encouraging, and really does help cut down on problems! Partner winning departments with gift cards / lunch / pizza / whatever and I assure you will see rapid improvement.
-
"So I'm a student in IT Security, and I live in a really small town. I know most of the members of the local police department. The town is really small, so the police department usually has about eight people working at a time, and the building is about the size of an average convience store or two. Unofficially, they are wanting me to give a demostration of a few things related to hacking and monitoring, stuff that might help them in their line of work, including the WiFi Pineapple Mk5.
I already have a bunch of stuff prepared, but I'm wanting to know where I stand on the legalities of this. Like I said, the entire thing is unofficial, and I could probably launch a couple hundred attacks on their network and no one would care. But just to be safe, I'm not going to be doing that.
I plan on bringing my own network equiptment and pretty much setting up a fake network to demonstrate on. But one thing they do want me to do is get the password of their WiFi connection. I've already made two videos showing different ways to do this, but it was on my own network. They are wanting to see me do it live.
What do I need to do in order to not have this come back and possible haunt me later?
Like I said, they know I'm doing it, and I've been given verbal permission, but I'm just wanting to be safe here. Any advice? Thanks."
Let's look at what you've written a little more closely...
in your opening statement to this forum you have used words like "Unofficially" "Unofficial" "Hundreds of Attacks" "There Network".
"Verbal Permission".
You want advice? Well I'm about to give you some.
Just say no.
First of all, if you actually knew what you were doing you wouldn't be asking us for advice on how to proceed legally. You'd know that part of the initial scoping call and
pre-engagement meeting where it's defined what exactly you're going to be doing, that you'd also have obtained whats commonly referred to as a "Get Out of Jail Free" card.
This "card" is signed paperwork that has a clearly defined scope, context, and signing officers that prevents you from being held liable or responsible for any "issues" that may occur
so long as what you were doing was within the "scope" as "defined" in the "pre-engagement" and "scoping" meetings.
Secondly, in an environment such as law enforcement it's highly unorthodox for them to seek out "non-professional" assistance from someone who is still "learning. In fact
the only thing more expensive than hiring an expert is an amateur - if you're suggesting that we provide assistance, support, direction, or advice on how to perform a penetration
test / show & tell I'd encourage you to stop dead in your tracks - put your best foot forward, and pursue no more.
Third - There is far more to "Training & Information" than just the pineapple. Any half breed, potato head knows that Wireless vs Wired should be separated. If you think
exposing them to what the PineApple can do then you're not really doing them any justice. If they really want to know whats "out there" theres things like
BlackHAT - Now that will be an eye opener!
If you're still hellbent on not following my advice or anyone else that's trying to steer you in the clear then keep in mind that the biggest fear for law enforcement is data breach.
So technologies like drop-boxes, rogue access points, detection and suppression, SIEM / USM's, hardware key loggers both wired and wireless, layer 3 switches with DAI engaged
are things you'd want to talk about.
My point in all of this is your limited knowledge of the entire "threat landscape" is not going to serve them any justice. When we talk wireless, are they using 802x Radius,
WPA2-Personal? Is it Two Stage, is it Voucher Based, do they already have detection systems in place. I mean the list really does go on and on and on...
In the end, you do what you feel is right - but my advice, as someone who does this for a living...
If you have to ask how to do it "legally" - you don't do it period.
-
Cleared for Confidentiality.
Mods please delete post.
-
Cleared for Confidentiality.
Mods please delete post.
-
Cleared for Confidentiality.
Mods please delete post.
-
MSF is currently broken, they are releasing updates almost hourly trying to get it back up and running...
The past 2 days have resulted in over 600mb updates..
Are you apt-get update
apt-get upgrade daily on your nix distro?
Also,
be sure to run
service postgresql start
followed by
service metasploit start.
You may need to rebuild manually...
-
I'll just chime in here for a brief moment.
Chris H; if you're reading this I want you to know that I personally found your videos and guides invaluable. More often than not we (all of us) search the internet for resources and assistance dealing with a wide variety of issues.
Your videos were clear, concise, to the point... I can personally say that as a small business in the Pen Testing game your videos were integral to some of our major wins...On behalf of Digitally Evolved, we salute you.
-
Ugh, captive portal with credential harvester.
Forget trying to research HSTS; no disrespect intended but HSTS is also worked directly into the browser...
If any of you are legit pen testers, I really hope that you all do a lot more reconnasiance on your targets instead of waiting for 'someone' to release a HSTS SSL STRIP.....
Target using Internet Explorer inhouse? SSLSTRIP
Target using Chrome,Safari,Firefox,ect, Credential Harvester / Social Engineering / Ettercap.
Many people use forums that don't offer https and these same people are likely to use the same passwords for several other areas of internet access.
Everytime I see someone inquire about HSTS / SSLSTRIP I can't help but feel its a skid/teenybopper.
Trying to compromise facebook accounts.
Legit Pen Testing is all about the shell, besides.. if you're doing credential harvesting you're already in red teaming territory?
Why not just keylog?
Just sayin'.
-
I'd recommend you take a look at this thread:
https://forums.hak5.org/index.php?/topic/33629-on-assignment-disappointed-with-mark-v/Towards the bottom is how we got it to work (AND) keep the internet sharing alive.
Still waiting on an official word, but the above worked well for us...
-
We've got it working now, -we think-, internet is still active for users whom are connected and in partnership with sslstrip all seems to be operational.
Thus, the question.
- Earlier on it was advised that if installed correctly, you simply select your interface and hit start..... clearly in our attempts this did not work.
Is this a known problem, did we skip a step, is there something we're not seeing here?
We'll be on deployment this Tuesday for about a week.... and want to bring the pineapple along for the assessment -- however, until I know for sure its certain I right now have a fewhundred dollar paperweight.
Anyone able to chime in?
-
Step 6.) We went back into the etter.conf file, have changed the uid / gid in step 5 AND proceeded to remove the #'s surrounding ip forwarding. We then rebooted the pineapple and restarted ettercap.
Clients connected to the Pineapple still have internet at this point and redir_command_on is no longer showing.It 'appears' to be fixed...
-
Stage 5.) We have edited the etter.conf file located /etc/etter.conf via nano
We have edited the uid and ged values to 0.
We rebooted the pineapple and restarted ettercap.
- All devices connected - lose internet at this point again. -
-
1.) I'm navigating to the pineapple bar and selecting ettercap.
I'm installing it to SD Storage.
2.) The main tile page refreshes and I'm greeted with a red tile (Ettercap)
I've let it sit for almost 20 minutes, - nothing -I decided to hit Install at the bottom and WAIT.
3.) Eventually the tab is refreshed and I get this as a popup.
4.) I select br-lan and hit start and am greeted with the following:
ANyone connect to the device loses internet..At this stage of the game we've been advised to change the ged and uid to 0 in etter.conf
(This file is located in /etc/etter.conf -- not to be confused with the /usr/ path linked in the guide from WhistleBlower earlier).
-
Want to give an update as to where we're at.
We can't seem to locate the etter.conf file anywhere on the sd card (Where the infusion was installed to)
We're now looking for it on the pineapple itself...
We recently reset the pineapple to default settings (as if we unboxed for the first time.)
I went to the infusion pineapple bar, installed ettercap.
The Live Tile was 'red' and said Install dependancies.
We hit install and after a few moments the tile refreshed on its own and was green (normal).
We hit start and were greeted with the log
Listening on eth0... (Ethernet)
eth0 -> 00:13:37:A5:2D:8A invalid invalid
SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Privileges dropped to UID 65534 GID 65534...
28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Starting Unified sniffing...
According to the link supplied by Whistleblower the goal is to edit the etter.conf file.
Our issue:
We can't find it ANYWHERE on the Pineapple?
Perhaps its in a certain folder?
We're happy to edit it, but still at this point can't seem to locate it...
Is this happening to everyone who installs ettercap?
Did we screw something up?
-- Update 4:37
Changed the UID's to 0 -- Still getting the error
SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
So what we did was went to
line 168 and 169 and removed the # on the ip_tables line.
I cant help but feel like we've done something wrong here in general.
There is no way everyone is experiencing the same problem as us..
Any and all assistance would be greatly appreciated on resolving this issue....
-- Update 4:57pm.
1.) Reinstalled Pineapple factory settings.
2.) Installed Ettercap infusion
3.) Large Tile was 'red' with INSTALL link on it.
4.) Clicked install
5.) Waited a few moments, the tile refreshed on its own
6.) Hit 'start' on the br-lan interface
7.) Received error
SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Privileges dropped to UID 65534 GID 65534...
8.) Used Whistleblowers link and putty'd our way onto the pineapple
nano /etc/etter.conf
9.) changed ec_uid and ec_gid to 0 and SAVED the file.
10.) Attempted to run ettercap, and was given the same SSL error, however it now says
SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Privileges droped to UID 0 GID 0...
11.) SSH'd back into the pineapple and opened
/etc/etter.conf once again
12.) Modified
Line 168 and 169 and unhashed the iptables for SSL Forwarding.
13.) Saved the file, rebooted the pineapple and now it appears that it may be working..
Tested it with internet explorer.
We also took the time to ssh in and run
cat /proc/sys/net/ipv4/ip_forward
Which displayed 0.
I guess in the end, it looks like its working, albeit slower than molasses on a cold winter day.
This is a lot of work from the simple 'select the interface and hit start' we originally recieved.
Personally, I'd love to know did we do something wrong?
When I hit install on the large tile when it was in red, should I have waited, should something else have happened?
Did we edit the right file.
Overall, Whistleblower, can you please give us an update on how we're doing, if we messed up in the process.
and perhaps would it be best to reinstall 'again' but perhaps wait longer on the 'install' click in the large tile?
Forever greatful,
(You should PM me your paypal if you ahve one, happy to donate.)
-
So I just want to bring to the attention of the experts..
We're currently on assignment and our Mark V is really dropping the ball for us.
Scenario 1.)
Pine AP - enabledKarma MK5 - enabled
Beacon Responder - enabled
Harvester - Enabled
using the TILE FOR ETTERCAP
ettercap on br-lan, hit start.
using the TILE FOR SSLSTRIP
hit start.
-- So long and short, we activate this.
Ettercap turns off / stops working after about 30 seconds. -- In otherwords it STOPS WORKING.
SSL Strip looks like its working
Pine AP, Karma, Beacon, Harvester all reset back to 'disabled' after about 5 minutes.
What am I doing wrong?
Scenario 2.)
To actually get ETTERCAP to work we've gone ahead and ssh'd into it
Via Putty
cd /sd
ettercap -Tq -i br-lan -w filename.pcap
This scenario works, but prevents us from enabling pineap or any of those options in the web browser.
sure enough
after about 30 minutes
It stops working too.
Can someone please tell me why this isn't working.
We bought hte pineapple with intention of using it for our pen testings. but so far its been headache after headache
We are having far more benefi from kali linux and simple etter capping the network that way
Ultimately we want to use the Mark V though
Please someone - anyone... :\
Sadly, not impresssed or happy at the moment.
I even followed the advice of Whistleblower in another thread, but still no dice -- it simply stops working.
-
So from the infusion I click the LARGE tile, and that gives me options (regarding Ettercap)
The first tab has an area to select the INTERFACE and there is also a section for the command line?
Is this where I would put in (in my case I'm using the SD CARD).
cd /sd ettercap -Tq -i (interface) -w filename.pcap
and then hit start?
Thus
saving the entire log to the SDCARD named filename.pcap
One last question-- again sorry (maybe this can get stickied)
The interface I want to select to monitor is the wlan0 if I'm using PineAP for clients to connect?
My Setup is as follows:
WLAN0 - > PineAP Access Point.
WLAN1 - > Not Active
WLAN2 (usb) - > Client Mode via Seperate WiFi)
based on my setup
I take it people connect and use WLAN0 therefor I monitor THAT access point?
OR should I be monitoring WLAN2 in this scenario?I am *NOT* Using eth0.
-
Another method for those of you who enjoy metasploit can be found..
https://www.mattandreko.com/2013/02/21/hsts-metasploit-module/
msf > use auxiliary/scanner/http/http_hstsmsf auxiliary(http_hsts) > show optionsModule options (auxiliary/scanner/http/http_hsts):Name Current Setting Required Description---- --------------- -------- -----------Proxies no Use a proxy chainRHOSTS yes The target address range or CIDR identifierRPORT 443 yes The target portSSL true yes Negotiate SSL for outgoing connectionsTHREADS 1 yes The number of concurrent threadsVHOST no HTTP server virtual hostmsf auxiliary(http_hsts) >msf auxiliary(http_hsts) > set rhosts www.paypal.com, www.google.com, www.yahoo.com, www.wikipedia.orgrhosts => www.paypal.com, www.google.com, www.yahoo.com, www.wikipedia.orgmsf auxiliary(http_hsts) >msf auxiliary(http_hsts) > run -
Posted 26 September 2012 - 10:00 PM
I just run ettercap on the pineapple and dump everything to a pcap file....cd /usb
ettercap -Tq -i br-lan -w filename.pcap
When done collecting open the file in NetworkMiner 1.4
Click on images tab...
done
PS Sometimes I just run driftnet on the host PC that the pineapple is connected to..
Edited by myst32, 26 September 2012 - 10:01 PM.
I stole this post from the Mark IV forums and was wondering if someone could clarify...
Is he referring to running the command
cd /usb ettercap -Tq -i br-lan -w filename.pcap
from the Tile..
or SSHing in and running from there?
-
I am experiencing this same problem, perhaps someone can chime in?
To provide a little more information
I have the following running
PineAP:
PineAP Enabled
MK5 Karma Enabled
Beacon Response Enabled
Network:
wlan0 enabled
wlan1 disabled
wlan2 enabled (connected to my android hotspot) to provide internet.
sslstrip 'on'
and is clearly working as I can see it.
urlsnarf on
br-lan interface.
1.) The internet essentially stops for targeted people when urlsnarf and sslstrip are 'on'.
I tried having urlsnarf monitor br-lan AND wlan0 in seperate tests but again no luck.
2.) SSLSTRIP is working without fail; however when urlsnarf and sslstrip are on at the same time the internet comes to a hault.. and about 30 seconds later
it works again, but clearly urlsnarf is not logging.
Any ideas on how to make the two work together?
-
I'll elaborate on what jmelody said to help answer your question. The source and target fields are part of Dogma.
What does Dogma do? Dogma allows you to focus your KARMA attack towards a specific device. It also allows you to specify a list of access points to broadcast.
Source field - This is where you specify your access point's MAC address. You can enter your Pineapple's MAC address (default) or a spoofed MAC address.
Target field - This is where you specify the MAC address of your target. You can leave it blank (default) to target all devices or you can enter a specific device's MAC address to only target that device.
SSID Management - This is where you can specify a list of access points that you'd like to broadcast. These access points will be broadcasted to your target(s) when Dogma is enabled. You can manually add access points to the list or you can add them from the Reconnoissance scan results (by clicking the access point name).
Here's an example scenario:
Let's say that there are 10 devices sending out probe requests in search of familiar access points but you only want to target one of those devices. After enabling PineAP and Dogma, you can enter the MAC address of the device that you want to target in the "Target" field. When the target device is searching for a wireless access point, it will see the list of access points stored in the SSID Management area. The access points from the SSID Management area will not be broadcasted to the remaining 9 devices or any other devices that come within range. If you don't specify a target, the access points from the SSID Management area will be broadcasted to everyone within range.
NOTE: You can use Reconnaissance to discover the MAC addresses of devices.
Life is like a giant puzzle and everyday you work to add another piece to the inevitable masterpiece.
For what it's worth - everytime I read a post from you or watch a video of yours, I feel like another piece of this massive puzzle has been placed.
Thanks your writeups, your examples, your scenarios, and your simplified breakdown on how, where, when, what, and why things do what they do.
Forever Greatful,
Urieal.
-
Some guys at Sensepost made a new version of sslstrip called sslstrip-HSTS as part of the their new mitm toolset called MANA. it's not a cover all solution but is suspose to work depending on the site. More information and the code can be found here https://github.com/s...r/sslstrip-hsts
Maybe one of the pros here can make an infusion.
https://forums.hak5.org/index.php?/topic/33518-big-thanks-to-hak5-i-snuck-in-a-question-too/
I posted about this in my thread -- I hope some of the pros read through it.
It involves DNS Proxy 2 and SSLSTRIP2.
It has a pretty high success rate; but I'm having a hard time contacting the author..
Hopefully someone can expand on this...
-
My understanding is it is entirely dependent on the browser -- and -- if its apart of the HSTS site list...
Thats why In another forum post I am inquiring to the infusion of SSLSTRIP2 and DNS2Proxy.SSLStrip as it stands has worked flawlessly against all our targets of interest when using Internet Explorer...
Safari,Chrome,Firefox -- Thats a different story all together..But remember - just because SSLStrip doesn't work -- you could always just ettercap or wireshark the data and hope they login to something with HTTP (Clear Text)
You'd be surprised how many people use the same email and password for everything -- We're human.
If you're not having much luck with SSLStrip and you're currently working for someone (client) perhaps try SEToolkit... clone the page and e-mail your clients..
You'd be amazed at how many people believe they really did win a free Ipad -- or a cruise to the bahamas. -
Kali - Cloud Server (Think Azure or AWS)
in Questions
Posted
Hi everyone - Unique question hoping for some assistance.
The question / objective:
Rent / Acquire / Invest / Purchase VM space in the cloud for the purposes of running Kali Linux instances.
Looking for privacy first cloud services, something akin to protonmail.
Anyone able to make some recommendations
if I find anything as well I'll be sure to update this post.