IMcPwn

The problem is needing to escape the QUACK string because it includes a bash variable. This pull request fixes it: https://github.com/hak5/bashbunny-payloads/pull/17 The correct line is: QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"

Hey guys. After having fun with the LAN Turtle and WiFi Pineapple Nano I took a break and started working on my own project. It's called BrowserBackdoor. It's an Electron application that includes a JavaScript WebSocket backdoor that connects to my Ruby listener. The Electron application runs in the background with no user interface and is basically Chromium so it hasn't been flagged by any Anti Viruses I've tested it against. The Ruby listener can send commands or modules to the Electron application for it to execute and send the results back. Here are the modules I've created so far: enableStartup, screenshot, downloadFile, beep, execCommand, readClipboard, moveToTrash, readDir, openURL, createFile, writeClipboard The up to date list is here: https://github.com/IMcPwn/browser-backdoor/tree/master/server/modules I've also taken some screenshots of what the console looks like: https://github.com/IMcPwn/browser-backdoor/wiki/Screenshots If anyone is interested in suggesting anything I should add or working on the project with me let me know! Github link: https://github.com/IMcPwn/browser-backdoor I'm also trying out Discord for live text/voice chat: https://discord.gg/013wk2VPnnuw9iLmU

Aww. Thanks anyway Darren. I guess I'll try running access server and community edition at the same time :/

Thanks Darren! I tried forwarding LAN to WAN in /etc/config/firewall but it made no difference. I want to do what you're doing in the video but using OpenVPN community edition instead of access server but there is absolutely no information on how add a client as a gateway anywhere I can find, do you know how?

Hey guys, I got an OpenVPN client working on the Nano super easily. The command is opkg update && opkg install openvpn-openssl --dest sd Anyway once I have it connected I cannot ping (or connect in any other way) the nano from my computer (the OpenVPN server) but I can do the reverse. I have temporarily disabled ALL iptables rules and set the chain defaults to ACCEPT and still nothing. I'd like to say I'm decent at figuring out iptables but I can't work with the zone_wan_input and zone_lan_input, etc chains but I'm assuming that's not the problem because I deleted all of them (temporarily). This is also an issue on the Turtle for me. I have not tried setting the Nano or Turtle as default gateways on my server because I'm not using openvpn-as (access server), just plain old openvpn command line community edition so I'm not sure how to do that and can't find anything on google on how to do that. Here are my current iptables rules on the openvpn server: ip=`curl -sS -4 http://icanhazip.com` iptables -A FORWARD -s 10.8.0.0/24 -d 10.8.0.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to $ip It'd be great if anybody had some insight on a solution, thanks in advance!

wlan0-1 is because you're running an open AP and a management AP. If you disable the management AP wlan0-1 disappears. On a side note it'd be nice to know if you can disable the open AP as well. I was just thinking it might help use less power when in recon mode.

Sounds great! Thanks for the notice!

I think you have what I'm saying confused. They are not on my physical machine. They are merely connected to the Pineapple's open AP from their laptop.

@Darren I'm not concerned with regular users. This is for the sysadmins or people who would look up WiFi Pineapple to find out what it is or people who already own one being able to find out information about yours. Ex: they could find out if you have Cabinet or any other module installed by going to http://172.16.42.1:1471/#/modules/Cabinet without needing to log on. @audibleblink's CSS solves the issue of someone looking up WiFi Pineapple and going to your site and to find out information unless they know you can disable that CSS on the right side of Chrome's Developer Tools which makes it look exactly how it did before.

Glad you all agree and I'm liking the ideas! Specifically I'll be trying editing the CSS. Hopefully we'll see what Seb or Darren have to say for a more permanent solution.

Hi, I really love the new UI design, besides the pre-login phase. It looks as below: Initially this concerned me because I thought it showed data in the background before you logged in which is false. Later when I was learning the new API on my own I developed a module called "Reboot" that does as expected, reboots and turns off the machine. My problem is the below is shown even before I log in: In the background there is a leak of information about the module. This can be viewed for any module that's installed to see what the Pineapple owner might be doing or working on. Would it be possible to have an option to force a user to look at a generic login page before viewing anything or do you think that would be excessive? Thanks for the consideration

So I learned the order of iptables rules matters and that solved my problem. Below are the commands I appended to my /etc/firewall.user file to block access to local subnets. The pineapple is still accessible though (possibly because it's the default gateway?). #block all traffic to any possible private network address (10.*.*.*, 172.16-32.*.*, 192.168.*.*) iptables -I FORWARD 1 -d 192.168.0.0/16 -j DROP iptables -I FORWARD 1 -d 172.16.0.0/12 -j DROP iptables -I FORWARD 1 -d 10.0.0.0/8 -j DROP

Huh. I still can't seem to figure it out. Thanks anyway. Here's a few of the many things I've tried: config rule option src lan option dest wan option dest_ip 192.168.1.1/24 option target REJECT config rule option src lan option dest wan option dest_ip 192.168.1.1/24 option proto tcpudp option target REJECT They seem to not be doing anything. Even after /etc/init.d/firewall restart. Sorry for being a noob.

I've never used /etc/config/firewall before, what sort of rules do I specify there exactly? Thanks!

IP Forwarding is enabled by default, so that's not effecting it. root@Pineapple:~# sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1 I also tried iptables -A FORWARD -d 192.168.1.1/24 -j DROP and this did not succeed either.

The command iptables -A forward-s 172.16.42.1/24 -d 192.168.1.1/24 -j drop had some issues. I changed it to iptables -A FORWARD -s 172.16.42.1/24 -d 192.168.1.1/24 -j DROP but that still didn't work. Any other ideas?

Thanks guys I'll take a look when I get home and report back!

Hello. I would like to have an option to exclude clients on the Pineapple from being able to access the network the Pineapple is getting Internet from. For example, I have a home router with the subnet of 192.168.1.1/24 The pineapple has a subnet of 172.16.42.1/24 and is getting Internet from a computer on the subnet 192.168.1.1/24. I would like users on 172.16.42.1/24 to NOT be able to access IPs on the 192.168.1.1/24 subnet. Is this possible? Thanks for any responses!

The URL is not incorrect, they just have not set it up to be public yet. I believe it will include packages like aircrack so you can update those later. I cannot answer the other two questions you have.

Thanks!

By the way, some paths in running nginx -V seem invalid. root@Pineapple:/etc/nginx# nginx -V nginx version: nginx/1.4.7 built by gcc 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r46581) configure arguments: --crossbuild=Linux::mips --prefix=/usr --conf-path=/etc/nginx/nginx.conf --add-module=/home/sebkinne/raid/hak5/pineapple/nano-firmware/build_dir/target-mips_34kc_uClibc-0.9.33.2/nginx-1.4.7/nginx-naxsi/naxsi_src --without-http-cache --add-module=/home/sebkinne/raid/hak5/pineapple/nano-firmware/build_dir/target-mips_34kc_uClibc-0.9.33.2/nginx-1.4.7/nginx-syslog --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --with-cc=mips-openwrt-linux-uclibc-gcc --with-cc-opt='-I/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/target-mips_34kc_uClibc-0.9.33.2/usr/include -I/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/target-mips_34kc_uClibc-0.9.33.2/include -I/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/usr/include -I/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/include -Os -pipe -mno-branch-likely -mips32r2 -mtune=34kc -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -msoft-float -mips16 -minterlink-mips16' --with-ld-opt='-L/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/target-mips_34kc_uClibc-0.9.33.2/usr/lib -L/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/target-mips_34kc_uClibc-0.9.33.2/lib -L/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/usr/lib -L/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/lib' Specifically /home/sebkinne which doesn't exist :)

I found a tutorial for adding SSL to the Wifi Pineapple Mark V. https://github.com/hak5/wifipineapple-wiki/blob/gh-pages/add_ssl.md To my knowledge this does not work on the Nano. First issue appears when installing with the --dest usb option. * resolve_pkg_dest_list: Unknown dest name: `usb'. I figured this was for the SD card and installed it without that parameter, no errors. The Nginx configuration part does not work at all though following the configuration exactly. I've never used nginx before so I'm unfamilar how to fix nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /etc/nginx/nginx.conf:61 My exact configuration is (yes the certs are valid and exist) So far loving the hardware and UI, thanks Hak5!

Wow. I didn't even realize you posted this, but I made Responder functional with a module: https://github.com/hak5/lanturtle-wiki/pull/8 Currently it is fully functional against the host machine the turtle is plugged into but I'm still working on finding a way to enable it to open those ports to the whole LAN.

Hi. I'm IMcPwn. This is my first post and I'm not sure exactly what the etiquette is here but I just wanted to get some feedback on a new module I contributed to. You can't really say I made it because it's mostly Darren Kitchen's work with my modifications plus a payload by msfvenom. Anyway the module is "meterpreter_sl" and here's the link to module's pull request: https://github.com/hak5/lanturtle-wiki/pull/6 The direct meterpreter_sl executable would have to be accepted first if the module is to work, which can be seen here: https://github.com/hak5/lanturtle-files/pull/3 Basically what the module does is adds a new payload "php/meterpreter_reverse_tcp" which is the stageless version of the current "php/meterpreter/reverse_tcp". For those who don't know a stageless meterpreter session has the payload build-in so less data is sent over the network when the session is opened, therefore being stealthier. Just looking to get some feedback to see if the community wants this. Thanks guys and happy LAN Turtling!