IMcPwn
-
Posts
36 -
Joined
-
Last visited
-
Days Won
1
Posts posted by IMcPwn
-
-
Hey guys. After having fun with the LAN Turtle and WiFi Pineapple Nano I took a break and started working on my own project.
It's called BrowserBackdoor. It's an Electron application that includes a JavaScript WebSocket backdoor that connects to my Ruby listener.
The Electron application runs in the background with no user interface and is basically Chromium so it hasn't been flagged by any Anti Viruses I've tested it against.
The Ruby listener can send commands or modules to the Electron application for it to execute and send the results back.
Here are the modules I've created so far:
enableStartup, screenshot, downloadFile, beep, execCommand, readClipboard, moveToTrash, readDir, openURL, createFile, writeClipboardThe up to date list is here: https://github.com/IMcPwn/browser-backdoor/tree/master/server/modules
I've also taken some screenshots of what the console looks like: https://github.com/IMcPwn/browser-backdoor/wiki/Screenshots
If anyone is interested in suggesting anything I should add or working on the project with me let me know!
Github link: https://github.com/IMcPwn/browser-backdoor
I'm also trying out Discord for live text/voice chat: https://discord.gg/013wk2VPnnuw9iLmU
-
Aww. Thanks anyway Darren. I guess I'll try running access server and community edition at the same time :/
-
Thanks Darren!
I tried forwarding LAN to WAN in /etc/config/firewall but it made no difference.
I want to do what you're doing in the video but using OpenVPN community edition instead of access server but there is absolutely no information on how add a client as a gateway anywhere I can find, do you know how?
-
Hey guys, I got an OpenVPN client working on the Nano super easily. The command is
opkg update && opkg install openvpn-openssl --dest sd
Anyway once I have it connected I cannot ping (or connect in any other way) the nano from my computer (the OpenVPN server) but I can do the reverse.
I have temporarily disabled ALL iptables rules and set the chain defaults to ACCEPT and still nothing.
I'd like to say I'm decent at figuring out iptables but I can't work with the zone_wan_input and zone_lan_input, etc chains but I'm assuming that's not the problem because I deleted all of them (temporarily).
This is also an issue on the Turtle for me.
I have not tried setting the Nano or Turtle as default gateways on my server because I'm not using openvpn-as (access server), just plain old openvpn command line community edition so I'm not sure how to do that and can't find anything on google on how to do that.
Here are my current iptables rules on the openvpn server:
ip=`curl -sS -4 http://icanhazip.com` iptables -A FORWARD -s 10.8.0.0/24 -d 10.8.0.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to $ip
It'd be great if anybody had some insight on a solution, thanks in advance!
-
wlan0-1 is because you're running an open AP and a management AP.
If you disable the management AP wlan0-1 disappears.
On a side note it'd be nice to know if you can disable the open AP as well. I was just thinking it might help use less power when in recon mode.
-
Sounds great! Thanks for the notice!
-
I think you have what I'm saying confused. They are not on my physical machine. They are merely connected to the Pineapple's open AP from their laptop.
-
1
-
-
@Darren
I'm not concerned with regular users. This is for the sysadmins or people who would look up WiFi Pineapple to find out what it is or people who already own one being able to find out information about yours. Ex: they could find out if you have Cabinet or any other module installed by going to http://172.16.42.1:1471/#/modules/Cabinet without needing to log on.
@audibleblink's CSS solves the issue of someone looking up WiFi Pineapple and going to your site and to find out information unless they know you can disable that CSS on the right side of Chrome's Developer Tools which makes it look exactly how it did before.
-
Glad you all agree and I'm liking the ideas! Specifically I'll be trying editing the CSS.
Hopefully we'll see what Seb or Darren have to say for a more permanent solution.
-
Hi, I really love the new UI design, besides the pre-login phase. It looks as below:
Initially this concerned me because I thought it showed data in the background before you logged in which is false.
Later when I was learning the new API on my own I developed a module called "Reboot" that does as expected, reboots and turns off the machine. My problem is the below is shown even before I log in:
In the background there is a leak of information about the module. This can be viewed for any module that's installed to see what the Pineapple owner might be doing or working on. Would it be possible to have an option to force a user to look at a generic login page before viewing anything or do you think that would be excessive?
Thanks for the consideration
-
So I learned the order of iptables rules matters and that solved my problem. Below are the commands I appended to my /etc/firewall.user file to block access to local subnets. The pineapple is still accessible though (possibly because it's the default gateway?).
#block all traffic to any possible private network address (10.*.*.*, 172.16-32.*.*, 192.168.*.*) iptables -I FORWARD 1 -d 192.168.0.0/16 -j DROP iptables -I FORWARD 1 -d 172.16.0.0/12 -j DROP iptables -I FORWARD 1 -d 10.0.0.0/8 -j DROP
-
Huh. I still can't seem to figure it out. Thanks anyway.
Here's a few of the many things I've tried:
config rule option src lan option dest wan option dest_ip 192.168.1.1/24 option target REJECT
config rule option src lan option dest wan option dest_ip 192.168.1.1/24 option proto tcpudp option target REJECT
They seem to not be doing anything. Even after /etc/init.d/firewall restart. Sorry for being a noob.
-
I've never used /etc/config/firewall before, what sort of rules do I specify there exactly?
Thanks!
-
IP Forwarding is enabled by default, so that's not effecting it.
root@Pineapple:~# sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1
I also tried
iptables -A FORWARD -d 192.168.1.1/24 -j DROP
and this did not succeed either.
-
The command
iptables -A forward-s 172.16.42.1/24 -d 192.168.1.1/24 -j drop
had some issues. I changed it to
iptables -A FORWARD -s 172.16.42.1/24 -d 192.168.1.1/24 -j DROP
but that still didn't work.
Any other ideas?
-
Thanks guys I'll take a look when I get home and report back!
-
Hello. I would like to have an option to exclude clients on the Pineapple from being able to access the network the Pineapple is getting Internet from.
For example,
I have a home router with the subnet of 192.168.1.1/24
The pineapple has a subnet of 172.16.42.1/24 and is getting Internet from a computer on the subnet 192.168.1.1/24.
I would like users on 172.16.42.1/24 to NOT be able to access IPs on the 192.168.1.1/24 subnet.
Is this possible?
Thanks for any responses!
-
The URL is not incorrect, they just have not set it up to be public yet. I believe it will include packages like aircrack so you can update those later.
I cannot answer the other two questions you have.
-
-
By the way, some paths in running
nginx -V
seem invalid.
root@Pineapple:/etc/nginx# nginx -V nginx version: nginx/1.4.7 built by gcc 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r46581) configure arguments: --crossbuild=Linux::mips --prefix=/usr --conf-path=/etc/nginx/nginx.conf --add-module=/home/sebkinne/raid/hak5/pineapple/nano-firmware/build_dir/target-mips_34kc_uClibc-0.9.33.2/nginx-1.4.7/nginx-naxsi/naxsi_src --without-http-cache --add-module=/home/sebkinne/raid/hak5/pineapple/nano-firmware/build_dir/target-mips_34kc_uClibc-0.9.33.2/nginx-1.4.7/nginx-syslog --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --with-cc=mips-openwrt-linux-uclibc-gcc --with-cc-opt='-I/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/target-mips_34kc_uClibc-0.9.33.2/usr/include -I/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/target-mips_34kc_uClibc-0.9.33.2/include -I/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/usr/include -I/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/include -Os -pipe -mno-branch-likely -mips32r2 -mtune=34kc -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -msoft-float -mips16 -minterlink-mips16' --with-ld-opt='-L/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/target-mips_34kc_uClibc-0.9.33.2/usr/lib -L/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/target-mips_34kc_uClibc-0.9.33.2/lib -L/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/usr/lib -L/home/sebkinne/raid/hak5/pineapple/nano-firmware/staging_dir/toolchain-mips_34kc_gcc-4.8-linaro_uClibc-0.9.33.2/lib'
Specifically /home/sebkinne which doesn't exist :)
-
I found a tutorial for adding SSL to the Wifi Pineapple Mark V. https://github.com/hak5/wifipineapple-wiki/blob/gh-pages/add_ssl.md
To my knowledge this does not work on the Nano.
First issue appears when installing with the --dest usb option.
* resolve_pkg_dest_list: Unknown dest name: `usb'.
I figured this was for the SD card and installed it without that parameter, no errors.
The Nginx configuration part does not work at all though following the configuration exactly. I've never used nginx before so I'm unfamilar how to fix
nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /etc/nginx/nginx.conf:61
My exact configuration is (yes the certs are valid and exist)
user root root;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
index index.php index.html index.htm;
default_type text/html;
sendfile on;
keepalive_timeout 65;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
server {
listen 80; # Port, make sure it is not in conflict with another http daemon.
server_name www; # Change this, reference -> http://nginx.org/en/docs/http/server_names.html
error_page 404 =200 /index.php;
error_log /dev/null;
access_log /dev/null;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 32k;
fastcgi_buffers 4 32k;
fastcgi_busy_buffers_size 32k;
fastcgi_temp_file_write_size 32k;
client_body_timeout 10;
client_header_timeout 10;
send_timeout 60; # 60 sec should be enough, if experiencing alof of timeouts, increase this.
output_buffers 1 32k;
postpone_output 1460;
root /www/; # Your document root, where all public material is.
location ~ \.php$ {
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (-f $request_filename) {
# Only throw it at PHP-FPM if the file exists (prevents some PHP exploits)
fastcgi_pass unix:/var/run/php5-fpm.sock; # The upstream determined above
}
}
error_page 404 =200 /index.php;
}
server {
listen 1471 ssl; # Port, make sure it is not in conflict with another http daemon.
server_name pineapple; # Change this, reference -> http://nginx.org/en/docs/http/server_names.html
ssl_certificate /etc/ssl/certs/server.pem;
ssl_certificate_key /etc/ssl/certs/server.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
error_page 404 =200 /index.php;
error_log /dev/null;
access_log /dev/null;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 32k;
fastcgi_buffers 4 32k;
fastcgi_busy_buffers_size 32k;
fastcgi_temp_file_write_size 32k;
client_body_timeout 10;
client_header_timeout 10;
send_timeout 60; # 60 sec should be enough, if experiencing alof of timeouts, increase this.
output_buffers 1 32k;
postpone_output 1460;
root /pineapple/; # Your document root, where all public material is.
add_header 'Cache-Control' 'must-revalidate';
location ~ \.php$ {
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (-f $request_filename) {
# Only throw it at PHP-FPM if the file exists (prevents some PHP exploits)
fastcgi_pass unix:/var/run/php5-fpm.sock; # The upstream determined above
}
}
}
}So far loving the hardware and UI, thanks Hak5!
-
Wow. I didn't even realize you posted this, but I made Responder functional with a module: https://github.com/hak5/lanturtle-wiki/pull/8
Currently it is fully functional against the host machine the turtle is plugged into but I'm still working on finding a way to enable it to open those ports to the whole LAN.
-
1
-
-
Hi. I'm IMcPwn.
This is my first post and I'm not sure exactly what the etiquette is here but I just wanted to get some feedback on a new module I contributed to.
You can't really say I made it because it's mostly Darren Kitchen's work with my modifications plus a payload by msfvenom.
Anyway the module is "meterpreter_sl" and here's the link to module's pull request: https://github.com/hak5/lanturtle-wiki/pull/6
The direct meterpreter_sl executable would have to be accepted first if the module is to work, which can be seen here: https://github.com/hak5/lanturtle-files/pull/3
Basically what the module does is adds a new payload "php/meterpreter_reverse_tcp" which is the stageless version of the current "php/meterpreter/reverse_tcp".
For those who don't know a stageless meterpreter session has the payload build-in so less data is sent over the network when the session is opened, therefore being stealthier.
Just looking to get some feedback to see if the community wants this.
Thanks guys and happy LAN Turtling!
-
4
-
$SWITCH_POSITION problem in powershell?
in Bash Bunny
Posted
The problem is needing to escape the QUACK string because it includes a bash variable. This pull request fixes it: https://github.com/hak5/bashbunny-payloads/pull/17
The correct line is:
QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\d.cmd')"