MK2: Jasagerpwn [script] [video]

[BLACK HAWK409]

Sorry I know I should have told you more ...

it is in the normal Internet connectivity, it goes wrong.

I checked in / etc / resolv.conf and it says nameserver 127.0.0.1 .. how do I change to 4.2.2.2

im from Sweden so my English is not so good ..

if it still fails after the change to 4.2.2.2

I will try to give you more info...

I appreciate your help!

[leg3nd]

When the script is running it should be set to 4.2.2.2 but if you need to try it manually its simply: echo "nameserver 4.2.2.2" > /etc/resolv.conf

[BLACK HAWK409]

this is my curent settings on the pineapple (/etc/config/network)

config 'interface' 'loopback'

option 'ifname' 'lo'

option 'proto' 'static'

option 'ipaddr' '127.0.0.1'

option 'netmask' '255.0.0.0'

config 'interface' 'lan'

option 'ifname' 'eth0'

option 'type' 'bridge'

option 'proto' 'static'

option 'netmask' '255.255.255.0'

option 'macaddr' ''

option 'ip6addr' ''

option 'gateway' ''

option 'ip6gw' ''

option 'ipaddr' '192.168.10.1'

option 'dns' ''

and in your script

IFACE="wlan0" #Interface connected to the internet (gateway) to share, EG wlan0,eth1,usb0,ppp0,etc

WiFiMODE="1" #Use WiFi For Internet Gateway (Will create a DeAuth Rule so you dont own yourself) EG 0,1

fonIP="192.168.10.2" #IP for ethernet interface facing the Fon, the dhcp.conf is below to change subnet.

FONIFACE="eth0" #Ethernet interface facing the Jasager/Fon router, EG eth0,eth1,eth2

WIFACE="wlan0" #Wireless Interface to attack with, EG wlan0,ath0,wifi0

MIFACE="mon0" #Monitor Interface for Attacks from airmon-ng

and dhcp

subnet 192.168.10.0 netmask 255.255.255.0 {

interface $FONIFACE;

range 192.168.10.3 192.168.10.254;

option routers $fonIP;

option subnet-mask 255.255.255.0;

option broadcast-address 192.168.10.255;

option domain-name-servers $fonIP;

option domain-name \"$DomainName\";

allow unknown-clients;

/etc/resolv.conf nameserver 4.2.2.2

dnsmasq disabled

im using backtrack 5

do you need anything else?

[leg3nd]

Please use code tags when posting large amounts of information.

The configuration looks generally correct, The pineapple appears to be configured correctly and the script settings appear to be okay as well, although you did not give me a description of the topology as requested so its pretty hard to know.

Try using a different wireless card as the "IFACE" variable, perhaps using it for attacks with monitor mode is causing problems.

You may want to play around with it and try and get some more information on what exactly the issue may be. For example try to use one of the attacks and see if they even work, as they do not require any internet connection at all to function.

Furthermore, you should respond with some basic troubleshooting information you have gathered from testing and tweaking your setup such as:

Test connectivity to pineapple: ping 192.168.10.1

Test connectivity to DNS server: ping 4.2.2.2

Test DNS functionality: ping google.com

Edited June 22, 2011 by leg3nd

[BLACK HAWK409]

not sure really what topology Means but i think it is my network setup

im running a router on 192.168.0.1 netmask 255.225.255.0.

I have tried to set the pineapple to 192.168.0.2 and i have cheked for ip conflict, but did not find any

I have also been at a friend and tested on a 192.168.1.1 network and it works!

but when I write the script to 0.x as i have, it do not work.

this is a DNS inquiry on the attacking computer Runing the script

192.168.10.3.53777> 192.168.10.150.53: 36826 + A? www.google.com

it is quite difficult to explain my problem ... all attacks works

it´s only the Internet that is not working

Test connectivity to pineapple: ping 192.168.10.1 --> working

Test connectivity to DNS server: ping 4.2.2.2 ---> working

Test DNS functionality: ping google.com ---> working

but when i ssh to 192.168.10.1 and run ping www.google.com i get no response

and then i ping 4.2.2.2 and 192.168.10.150 i get response

hope you can anderstand me :)

Edited June 22, 2011 by BLACK HAWK409

[leg3nd]

You have given me multiple subnets which don't seem to make sense.

The pineapple network as you have explained should be on the 192.168.10.0 255.255.255.0 subnet, with an IP of 192.168.10.1, the attacker machine (fonIP) should be set to 192.168.10.2. This is all assuming the configuration you had posted yesterday. I would try setting it up to use this subnet and see if it works.

The script should run fine with the default settings and subnet mentioned above, besides "IFACE" which you need to set to the wireless card you are using.

The subnet for the internet connectivity, such as the wireless router your trying to tunnel the connection through is irrelevant, the subnet should not matter at all as its tunneled from the interface and not the IPs.

The pineapple should not have the ability to ping when you SSH into it, because it does not have a DNS server assigned to it. The internet will only work for people who are assigned an IP address from your DHCP server running on the attacking machine.

I will try to add a function to configure the pineapple and script when I get some time.

Edited June 23, 2011 by leg3nd

[BLACK HAWK409]

Thank you for all the help! looking forward to the script! really good work!

[BLACK HAWK409]

Its working now on my mobile connection but i cannot figure out why.? are there any ports that should be open

[leg3nd]

No I don't think port forwarding would be necessary for any of it. It sounds to me like some kind of issue with that specific wireless access point. Maybe something like wireless isolation is causing a problem, or some kind of DNS filter? I have never heard of this problem, so perhaps someone else can shed some light on the issue and I can try to make a workaround.

I would pop into the router and look through the settings, It seems like something in there is causing the problem if you can use other access points or your mobile phone for internet.

[Shogunn]

Hey, this script looks great. I just had a question before I start messing around with it.

I am using bt5 with an alfa card, and I would be using wifi for internet access.

So I would use wlan1 (the alfa) for WIFACE, FONIFACE = (eth0)ethernet nic, and IFACE should be another wifi card, such as my built in one, wlan0? and from there I would connect wlan0 to my home access point, right? I guess what I am saying is can WIFACE, and IFACE both be the alfa? I am assuming not ,since they are separate variables.

Also, is the script as of now final? I see you are adding in an autoconfig portion to it, but will any of the meat of it be changed? Just dont know if I should wait until then to start playing with it.

Thanks !

[leg3nd]

Hey, this script looks great. I just had a question before I start messing around with it.

I am using bt5 with an alfa card, and I would be using wifi for internet access.

So I would use wlan1 (the alfa) for WIFACE, FONIFACE = (eth0)ethernet nic, and IFACE should be another wifi card, such as my built in one, wlan0? and from there I would connect wlan0 to my home access point, right? I guess what I am saying is can WIFACE, and IFACE both be the alfa? I am assuming not ,since they are separate variables.

Also, is the script as of now final? I see you are adding in an autoconfig portion to it, but will any of the meat of it be changed? Just dont know if I should wait until then to start playing with it.

Thanks !

The majority of the script is complete and will remain the same, I only implement changes when I see something I really like, and that is all dynamic when you update it. As long as you just setup the variables you'll be set.

In your case, everything you have said for the variables appears correct. WIFACE = "wlan1", IFACE = "wlan0", FONIFACE = "eth0", WiFiMode = "1" (So you do not deauth your internal wireless card).

Other then that just make sure the dhcp configuration and the pineapple are setup with the correct subnets and its good to go.

[m1k]

(Deleted)

Edited July 20, 2011 by m1k

[Sedition]

I downloaded jasagerPwn today but got an unexpected EOF when gunziping the file. I've tried downloading on a couple of machines...assume that there's some problem with the remote file. Anyone else seeing this?

[leg3nd]

I downloaded jasagerPwn today but got an unexpected EOF when gunziping the file. I've tried downloading on a couple of machines...assume that there's some problem with the remote file. Anyone else seeing this?

Yeah sorry this was my fault. I think the upload failed while going to my website. I have fixed the archive now but you may want to use googlecode anyways, as I use SVN to update it from there more so then the archive on the website.

But both are updated to v1.2 now which NO LONGER REQUIRES SET. I have implemented the java applet vectors manually now and it appears to be much more reliable, I have also included some custom binaries of the SET python payload which can be choosen in the script settings. Keep in mind this payload is hardcoded with fonIP to 192.168.10.2.

Enjoy! Feedback is appreciated.

Edited August 12, 2011 by leg3nd

[Sedition]

Yeah sorry this was my fault. I think the upload failed while going to my website.

Excellent. Thanks for sorting that. :)

I had a few problems initially, but nothing that wasn't sorted out with a ./jasagerPwn -u

I do have a couple of quick questions. Does wirelessAtkIFACE have to use a different physical interface to gatewayIFACE or can they both share a wireless NIC? Currently I'm using my internal Wifi interface for the gateway and an external USB Alfa interface for the Attack interface...so everything works, just interested to know.

I'm pretty sure I know the answer to this already but just for confirmation's sake...ourAPmac should be the MAC for the Fon's internal wireless interface, as opposed to any of the wireless interfaces on your local machine...correct?

Thanks again. Great script. :)

[korang]

Great script.

I am using Backtrack 5

It seems to be having issues with finding sslstrip.

[korang]

Sorry meant to add, it is installed at /pentest/web/sslstrip.py

[leg3nd]

Excellent. Thanks for sorting that. :)

I had a few problems initially, but nothing that wasn't sorted out with a ./jasagerPwn -u

I do have a couple of quick questions. Does wirelessAtkIFACE have to use a different physical interface to gatewayIFACE or can they both share a wireless NIC? Currently I'm using my internal Wifi interface for the gateway and an external USB Alfa interface for the Attack interface...so everything works, just interested to know.

I'm pretty sure I know the answer to this already but just for confirmation's sake...ourAPmac should be the MAC for the Fon's internal wireless interface, as opposed to any of the wireless interfaces on your local machine...correct?

Thanks again. Great script. :)

Well when you associate to an access point with a wireless card you lock into that channel, so that with something like the deauth attack may cause issues as it tries to change channels.

For best results you should try and keep the interfaces separate, but without DeAuth attacks it is probably fine.

Sorry, I did notice that they changed the location for SSLstrip, I'll double check and make sure the paths are correct in the script when I get some time.

Thanks for the feedback. :)

[Cassiopeia]

How would i see the clients connected, without scrolling through the whole DHCP log?, or even connect to the FON page since i cant access it through http://192.168.0.2:1471 (i use .0.2 to reduce the IP conflicts). otherwise REALLY great script! luurv it

[leg3nd]

How would i see the clients connected, without scrolling through the whole DHCP log?, or even connect to the FON page since i cant access it through http://192.168.0.2:1471 (i use .0.2 to reduce the IP conflicts). otherwise REALLY great script! luurv it

Sorry for the late response, I'v been doing some school and certifications lately.

I don't see the advantage of setting your IP on the fon as .2 personally. 253 hosts is plenty for both yourself and any viable number of clients. Generally I use a combination of both the DHCP log as well as the web interface to enumerate my current clients.

Another basic solution, although probably not as reliable would to do a simple ping sweep of the network with nmap.

nmap -sP -n -T4 192.168.0.1/24

Edited September 7, 2011 by leg3nd

[Thetra]

Hi Leg3nd.

Ohhh dang i feel embareced even mention this, due to some ehh.. Start problems confusing moments etc etc i managed to dissable the dhcp on the phone as you described, Whitout setting the script correctly up, mine was set to 192,168.1.1 and no i cant connect to 192.168.1.1:1471 . the script works, but i can not get into the interface, and i canot ssh since it wont give me any IP. Do you have any clue how a old retard like me can get this up and running again?? By the way, Looked through the code and i have to give it to you... Mad skills man,

[Thetra]

Please delete my ridiculous question above, :-) To little sleep blocked my thought

[Momentum]

Hi. I've been having some issues getting this setup correctly and have hit a brick-wall...some help would be much appreciated.

Everything is working with the sole exception of DNS. I can connect to the FON wireless AP with a client; I get an IP and associated config from the DHCP server on my Backtrack 5 laptop. I can see the DHCP requests come through and everything works as expected when I use numerical IP addresses (URL Snarf goes crazy, etc.). Unfortunately, if I try to use domain names (as most ppl would), they never resolve. I've checked DNS resolution on my Backtrack laptop and things resolve as expected. Not sure what might be the problem. Any suggestions?

Thanks.

[Momentum]

Everything is working with the sole exception of DNS.

I've got a bit further with the investigation on this. Some setup notes:

Fon Router IP: 192.168.10.250

Attacking machine IP ($fonIP) on eth0: 192.168.10.2

Connected victim machine: 192.168.10.3

I ran up wireshark on eth0 and monitored traffic. I can see DNS requests going from 192.168.10.3 (victim) to 192.168.10.2 ($fonIP) but I see no DNS responses. Assume this must mean that my Backtrack 5 laptop DNS is not setting itself up properly?

Just to check DNS between the attacking machine and the internet, I swapped wireshark over to monitor wlan0 and ran 'host www.google.com' from the attacking machine. I saw a DNS request go out from 192.168.0.110 (Attacking Machine IP on wlan0) to 192.168.0.254 (my wireless router). As expected, I saw the response come back and the domain was resolved.

Again, any help would be much appreciated. :)

[bobbyb1980]

Have you confirmed that on the attacking machine (I assume it's the BT5 one) that you can access internet?

Have you disabled dnsmasq on the router?

Have you tried to view the DNS entries on the victim machine?

Have you you set the DNS server on the router to that of the gateway your attacking machine is using?