Momentum Posted September 27, 2011 Posted September 27, 2011 Have you confirmed that on the attacking machine (I assume it's the BT5 one) that you can access internet? Yes. Have you disabled dnsmasq on the router? Yep. Have you tried to view the DNS entries on the victim machine? Nope. Victim is an iPhone. I've just tested by trying to visit a website using the domain name (http://www.google.com). That generates the DNS request I'm seeing in wireshark but the Victim never gets a DNS response and Safari times out. If I visit google by numeric IP, the page renders just fine. Have you you set the DNS server on the router to that of the gateway your attacking machine is using?Don't believe I've tried this yet. I'll test this out tomorrow evening and post the results. Thanks for the assistance. :) Quote
leg3nd Posted September 29, 2011 Author Posted September 29, 2011 (edited) First thing, If it is an iPhone as a victim, I would try and make sure that its not connected to a cellular network.. Simply because I am not super familiar with the mechanics of the iPhone connectivity. May I suggest using a virtual machine for terms of testing, this can even be done on the attacker machine assuming you have enough wireless cards (You might actually need like 3 to do that.) The way the DNS mechanics in the script are working is by redirecting the DNS requests through the attacker machine and off to the gateway of the attacker machine This is the IPtables command which is handling those requests on line 142. iptables --table nat --append PREROUTING --in-interface $fonEthernet -p udp --dport 53 -j DNAT --to $gatewayIP One thing you can try is changing the $gatewayIP variable on line 142 to "4.2.2.2" or "8.8.8.8" and see if that helps, If it does then its an issue with the network which you are trying to tunnel it through. The line should look like the following.. iptables --table nat --append PREROUTING --in-interface $fonEthernet -p udp --dport 53 -j DNAT --to 4.2.2.2 Good luck. Edited September 29, 2011 by leg3nd Quote
Momentum Posted September 29, 2011 Posted September 29, 2011 One thing you can try is changing the $gatewayIP variable on line 142 to "4.2.2.2" or "8.8.8.8" and see if that helps, If it does then its an issue with the network which you are trying to tunnel it through. The line should look like the following.. iptables --table nat --append PREROUTING --in-interface $fonEthernet -p udp --dport 53 -j DNAT --to 4.2.2.2 Good luck. Looks like you are bang on the money. I altered this line and DNS started resolving straight away. So, are you saying that $gatewayIP should be the IP Address for my internet gateway/router? On line 77 it looks like $gatewayIP is set. I stuck an 'echo $gatewayIP' just before line 142, just to get visibility of what it's being set to, and currently it is being set to 0.0.0.0? I manually set it to my router IP (192.168.0.254) and everything worked as expected. Is $gatewayIP supposed to be 0.0.0.0 or is this a bug in the script or a peculiarity in my setup? Thanks for your help with this...it's proving to be a great learning exercise. Really appreciate it. :) Quote
leg3nd Posted October 1, 2011 Author Posted October 1, 2011 Ah interesting.. Others have had issues with this before. 0.0.0.0 is representing a default route, but is actually supposed to be returning the gateway(routers IP address), So I assume there is an issue with the awk statement I am using to parse it. Sounds like a bug while parsing the variable for that variable. Would you mind PMing me or posting the output of "route -n" when you are using the setup described earlier that would be great. Until I am able to update it just go ahead and replace that line yourself, should work fine. Appreciate it. :) Quote
Momentum Posted October 1, 2011 Posted October 1, 2011 Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.0.254 0.0.0.0 UG 0 0 0 wlan0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 I'm not familiar with Awk but had a play anyway. It seems that "getline" may be the problem. Using "route -n | awk '/^0.0.0.0/ {print $2}'" returns the correct gateway IP. Not sure if that works for everyone though. ;) Quote
ibegreengoblin Posted October 18, 2011 Posted October 18, 2011 JasagerPwn and armitage whats up you are amazing, your jasgerpwn is extremely well written i was just wondering how to incorporate the armitage user-face with it how to connect to armitage instead of just msfconsole. this would make post exploitation easier. it would make managing victims easier. if you could give me a pm or a post on the forums i would really appreciate it. thanks again Ty Quote
leg3nd Posted October 19, 2011 Author Posted October 19, 2011 Sorry, not much of a fan of GUI. I am sure if you really wanted to, you could just use one of the attacks, close the msfconsole window, and start armitage to use the same listeners that msfconsole was. When you run the script, there will be metasploit RC (resource) files stored in /tmp. You may reference those to use the correct port/payload listener. Quote
Jmanuel Posted October 23, 2011 Posted October 23, 2011 Would this work on the VM? do I need to make any changes on my pineapple, like adding the gateway, and changing the subnet? Quote
leg3nd Posted October 25, 2011 Author Posted October 25, 2011 Yes I used to run it in a VM all the time. The settings on the router are the same. But you will need to setup a bridged network adapter for the gateway interface and use the attacking card, alfa etc, as a USB device for the VM (NOT BRIDGED). Quote
Jmanuel Posted October 25, 2011 Posted October 25, 2011 leg3nd, Thanks for the fast reply, I was able to setup my pineapple with jasagerPwn using the VM I have a few questions 1.- I'm having a problem every time I start jasagerPwn This is the message I get >] Stopping services and programs...[>] Checking Environment...cp: cannot create regular file `/pentest/exploits/framework2/scripts/meterpreter/': No such file or directory[>] Creating scripts...[>] Enabling ipv4 Forwarding...[>] Starting up DHCP3...[>] Loading URL Snarf/Driftnet...[>] Setting up IP Tables...[~] leg3nd's JasagerPwn v1.2 Rev Started! More @ www.info-s3curity.com[~] ALL Attacks are now operating system agnostic OSX/MS/Linux!! Any ideas on how can I resolved this is issue, "I have the latest version of metasploit" but my says framework2, your script USED to say framework3 but I changed it to Frameworks2 This is my configuration on your script #SCRIPT CONFIGURATION BELOW - ADJUST TO YOUR WIFI CONFIGURATIONgatewayIFACE="wlan0" #Interface connected to the internet (gateway) to share, EG wlan0,eth1,usb0,ppp0,etcfonIP="192.168.10.2" #IP for ethernet interface facing the Fon, the dhcp.conf is below to change subnet.fonEthernet="eth0" #Ethernet interface facing the Jasager/Fon router, EG eth0,eth1,eth2wirelessAtkIFACE="wlan1" #Wireless Interface to attack with, EG wlan0,ath0,wifi0monIFACE="mon0" #Monitor Interface for Attacks from airmon-ngmacMode="set" #Mac spoofing mode - set / random (case sensitive)fakeMac="00:e0:f7:99:e1:30" # 00:e0:f7:99:e1:30 (Cisco Systems, Inc.)ourAPmac="00:12:CF:A4:35:78" #Pineapple MAC so we dont DeAuth OurselvesMSFpath="/pentest/exploits/framework3" #Metasploit Location (if not BT5, use msf3 directory)DomainName="Networking.com" #Domain name for DHCP configuration.###################################################################################################################### 2.- I noticed that The DHCP Server on my Pineapple keeps coming backup, is this something I need to disable every time, or can I permanently disable it by changing the "/etc/config/dhcp" file, if that is possible, what settings should I use. :D I hope you can help me with these two questions. Thanks, Quote
MFVX Posted October 25, 2011 Posted October 25, 2011 1.-Any ideas on how can I resolved this is issue, "I have the latest version of metasploit" but my says framework2, your script USED to say framework3 but I changed it to Frameworks2 [b]cp: cannot create regular file `/pentest/exploits/framework2/scripts/meterpreter/': No such file or directory[/b] Well, on BT5 I've used MSFpath="/pentest/exploits/framework" *It is a symlink to /opt/framework/msf3 And it seems to work just fine. 2.- I noticed that The DHCP Server on my Pineapple keeps coming backup, is this something I need to disable every time, or can I permanently disable it by changing the "/etc/config/dhcp" file, if that is possible, what settings should I use. You disabled it through ssh, with /etc/init.d/dnsmasq stop /etc/init.d/dnsmasq disable If you are having problems with victims being unable to resolve hostnames, just replace $gatewayIP with your gateway IP, on line 142. Quote
Jmanuel Posted October 25, 2011 Posted October 25, 2011 leg3nd, Thanks for the fast reply, I was able to setup my pineapple with jasagerPwn using the VM I have a few questions 1.- I noticed that The DHCP Server on my Pineapple keeps coming backup, is this something I need to disable every time, or can I permanently disable it by changing the "/etc/config/dhcp" file, if that is possible, what settings should I use. 2.- how can I check the DHCP Pool on BT5 "list of clients" 3.- DeAuthorization. If I have my pineapple running, and I'm using two alfa cards (wlan0 for internet connection, and wlan1 for attacks. would DeAuthorization affect the alfa card wlan0? I checked your script, and I see the option to add the Pineapple's mac address, but not for my Internet connection card :D I hope you can help me with these two questions. Thanks, Quote
leg3nd Posted October 26, 2011 Author Posted October 26, 2011 (edited) Jmanuel, Everything MFVX said is exactly correct. Would have been the same response I would have given. The metasploit location changed in backtrack 5 when metasploit upgraded to 4.0. I will go ahead and fix the bug in the next revision, but /pentest/exploits/framework/ should work fine. Regarding the DHCP server on the pineapple, run the commands he gave and it should be disabled. /etc/init.d/dnsmasq stop /etc/init.d/dnsmasq disable I have had no issues with this method, but if for whatever reason you do, you may want to try to disable it in the web interface. With Deauthoriztion attacks, the "WirelessAtkIFACE" will be used for the attack. While the "gatewayIFACE" will be used for your connection to the internet. You can try to use the "gatewayIFACE" for attacking (by simply setting both variables to wlan0), but it will likely effect the stability of your connection and is not recommended. Edited October 26, 2011 by leg3nd Quote
MFVX Posted October 26, 2011 Posted October 26, 2011 Leg3nd, could you please change one more thing on the next version of the script? It would be great if you add one more variable on the "setup", so users can hard-code the gateway IP instead of trusting on "route -n" method. I did it on mine and I think it would be better for the other users. You could also add a note recommending the upgrade to sslstrip 0.9. I've had some errors with 0.8. http://www.thoughtcrime.org/software/sslstrip/ Also, I'm trying to make some kind of "fake captive portal" (a page hosted on the attacker's computer, where the victim has to enter some info or read an alert. I guess I could do that with your 2,3 and 4 attacks. When I figure that, may I PM you to incorporate on the main version of the script? Other cool thing would be some kind of selective redirect. Something like: redirect IPs 192.168.0.50 and 192.168.0.55 to a warning page when they try to visit hak5.org (Hey, fellow hak5 user, you are using a creepy-evil-poisoned AP. Be sure to use an ssh tunnel!). Now, one more question: How easy would be for the owner of the network you are using to provide internet to your victims to discover that there is an attack like this happening? How would he do that? Something besides seeing someone using high amounts of band? _ Sorry if my english seems confusing. I'm not a native speaker, but i'm working on that. Quote
leg3nd Posted October 26, 2011 Author Posted October 26, 2011 (edited) Not sure what you are implying for the "Captive portal page". Go ahead and PM me with details of the vector and I can try to work it in. I will indeed update it to sslstrip 0.9, I was aware it was released but again have not had the time to update the script. Although I have manually updated my own to use 0.9 and the errors still persist. Selective redirect would be kinda cool, I would have to do some brainstorming to implement this effectively. If I do something like this, I need to implement a menu system to manage it, which I would also like to contain hostnames and mac addresses as well as the IP. Regarding detection of rogue access points, they can be very difficult to detect especially at a non-end user level. A couple ways it CAN be detected are with wireless IDS/IPS systems, SSID spam (if your responding to alot of probes it will result in a large list of APs on the client machines, or simply opening up airodump-ng and noticing the very strange behavior that occurs on the access point. Personally, When I go to something like say DefCon.. I use a very very basic script which detects when your gateway mac address changes and/or when your networks subnet changes. This seems to mitigate most man in the middle attacks. Thanks for the feedback! I'll try and get on some of this tomorrow. Edited October 26, 2011 by leg3nd Quote
MFVX Posted October 26, 2011 Posted October 26, 2011 Regarding detection of rogue access points, they can be very difficult to detect especially at a non-end user level. A couple ways it CAN be detected are with wireless IDS/IPS systems, SSID spam (if your responding to alot of probes it will result in a large list of APs on the client machines, or simply opening up airodump-ng and noticing the very strange behavior that occurs on the access point. Personally, When I go to something like say DefCon.. I use a very very basic script which detects when your gateway mac address changes and/or when your networks subnet changes. This seems to mitigate most man in the middle attacks. My worry is on the internet access being shared part. Lets say I have the following network: ______ The Internet -wifi-> Building Network -wire-> Someone's WIFI AP -wifi-> Attacker's Notebook -wire-> Wifi Pineapple -wifi-> Victim's PC ______ My doubt is how could the administrator of the network I'm forwarding traffic to could detect that Attacker's Notebook is doing nasty things. Quote
leg3nd Posted October 26, 2011 Author Posted October 26, 2011 Anything that you and your clients are doing is going through their network. But all of the attacks, meaning payloads containing code signatures, conspicuous redirects, etc, are being conducted on your pineapples network. If you look at the example you gave, "Victims PC" is only 1 hop away from "Attacker's Notebook". Traffic such a meterpreter session does not go further then that. As for SSLstrip, don't quote me on this because I am not positive, but I believe that all the SSL traffic should be going through as SSL at any point past the attacker machine. The traffic containing credentials if only sent in cleartext as it passes through your systems proxy (sslstrip), then is sent back out as SSL. Regardless, I don't think the admin has many ways to detect it other then clients connecting/disconnecting on wireless. The traffic he would see looks like normal web traffic, and the payloads never touch that network regardless. Quote
MFVX Posted October 26, 2011 Posted October 26, 2011 Thanks for the answers, leg3nd! Man, you are really fast! Quote
Jmanuel Posted October 27, 2011 Posted October 27, 2011 I'm having issues getting airdrop-ng to run. I get this error message every time, I try apt-get install python-dev but it didnt help ################################################# # Welcome to AirDrop-ng # ################################################# Pylorcon error, do you have it installed? Airdrop-ng will now exit Sent 0 Packets Exiting Program, Please take your card mon0 out of monitor mode Quote
MFVX Posted October 27, 2011 Posted October 27, 2011 (edited) Just something cool I've found today, and might be useful to someone: XDA - Android: WiFiKill So, if you don't have and injection-capable dongle, you can use and rooted android phone to connect to the other APs and make the users look for other AP. Also, you can use usb tether to provide wireless to your notebook if your native card doesn't have the required linux drivers. Just check usb0. Edited October 27, 2011 by MFVX Quote
itsm0ld Posted October 27, 2011 Posted October 27, 2011 Just something cool I've found today, and might be useful to someone: XDA - Android: WiFiKill So, if you don't have and injection-capable dongle, you can use and rooted android phone to connect to the other APs and make the users look for other AP. Also, you can use usb tether to provide wireless to your notebook if your native card doesn't have the required linux drivers. Just check usb0. That is interesting, have you tried this app out? Quote
leg3nd Posted October 27, 2011 Author Posted October 27, 2011 Also, you can use usb tether to provide wireless to your notebook if your native card doesn't have the required linux drivers. Just check usb0. This is the only way I used to use the pineapple, but then Verizon began throttling services at peak hours causing my 2.5MB/s down to drop to a whopping 100Kbs/down. This may not be the case for everyone though. Jmanuel, are you sure your running the installer correctly? Should be something along these lines to install it (in backtrack 5).. apt-get -y install linux-headers-$(uname -r) build-essential make patch autoconf python python-dev make patch gettext autoconf python-psyco subversion tcl8.5 openssl zlib1g zlib1g-dev libssh2-1-dev libssl-dev libnl1 libnl-dev libpcap0.8 libpcap0.8-dev python-scapy cracklib-runtime chmod +x /pentest/wireless/aircrack-ng/scripts/airdrop-ng/install.py cd /pentest/wireless/aircrack-ng/scripts/airdrop-ng/ && python install.py airdrop-ng -u OUIUPDATE Quote
MFVX Posted October 27, 2011 Posted October 27, 2011 (edited) That is interesting, have you tried this app out? Not yet. I don't want to do this kind of thing on my workplace. I'm just waiting till I go back home. EDIT: Yep, it works fine! Just a little bit dangerous to be distributed that way. Edited October 28, 2011 by MFVX Quote
Jmanuel Posted October 29, 2011 Posted October 29, 2011 (edited) This is the only way I used to use the pineapple, but then Verizon began throttling services at peak hours causing my 2.5MB/s down to drop to a whopping 100Kbs/down. This may not be the case for everyone though. Jmanuel, are you sure your running the installer correctly? Should be something along these lines to install it (in backtrack 5).. apt-get -y install linux-headers-$(uname -r) build-essential make patch autoconf python python-dev make patch gettext autoconf python-psyco subversion tcl8.5 openssl zlib1g zlib1g-dev libssh2-1-dev libssl-dev libnl1 libnl-dev libpcap0.8 libpcap0.8-dev python-scapy cracklib-runtime chmod +x /pentest/wireless/aircrack-ng/scripts/airdrop-ng/install.py cd /pentest/wireless/aircrack-ng/scripts/airdrop-ng/ && python install.py airdrop-ng -u OUIUPDATE You Are right. for whatever reason airdrop-ng didn't installed properly. Now, I tested airdrop-ng on the same laptop that I use to run jasagerPwn. It does deauthorize my laptop from my "homenet" network for a few seconds, but it only does it once, and instead connecting to my "pineapple" network, it connects back to "homenet" what's the best method to do this, or does it work randomly for only a few computers? one more thing, If I check my network connections, I'm able to see "pineapple" (The default network name on my pinapple, which is Unsecured) "homenet" ( The network I use to connect at home, which is secure WPA2-PSK) "homenet" (fake network, created by my pineapple, which is Unsecured) If I connect manually to the "pineapple" network, I'm able to get an IP, and I also get connection to the Internet, but if I connect to the fake "homenet" I get 169.254.x.x, any I ideas why I'm not able to get an IP? Edited October 29, 2011 by Jmanuel Quote
leg3nd Posted October 29, 2011 Author Posted October 29, 2011 (edited) Assuming you have Karma turned on, it shouldn't be broadcasting as "pineapple". Secondly, Karma will only respond to probes for UNSECURED wifi networks. Go into your network settings and manually add a network without WEP/WPA, call it "attwifi" or something. Karma should respond to that probe as it has the same security type as your pineapple(unsecured). A 169 address is a windows thing (Don't remember the name.. but it has one), basically its windows way of saying "Something went wrong and I am bad at handling networks, so I'm going to give you a useless address". Keep in mind most people have at least 1 saved unsecured network in their windows wifi lists, weather it was that one time they connected at starbucks, or that time they decided to click on their neighbors unsecured wifi. airdrop-ng should DeAuth everybody consistently EXCEPT your gateway interface (gatewayIFACE) and your pineapples network(Assuming you set the MAC address in the script). Edited October 29, 2011 by leg3nd Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.