Jump to content

Recommended Posts

Posted (edited)

I am pleased to announce a major update in jasagerPwn, to version 1.3 (rev53).

Every java applet attack against Windows will now utilize a new vector that spawns a meterpreter shell through powershell injection straight into memory. Since no payload never touches disk, Anti-virus (Yes, ALL anti-viruses) will not detect it. This will only be viable on machines with powershell installed, it is by default in Vista and Windows 7, but not XP.

The full process in which this works is tedious, but I will try to explain it briefly. First we prepare some alphanumeric shellcode that can be used, we simply use msfvenom/msfpayload to do this. Then we parse this shellcode into a usable format, and convert the powershell command and payload into an "Encoded Command". The powershell "Encoded command" will bypass all powershell execution restriction policies. Then the java applet will first detect weather the victim has powershell installed. If it does, it will deploy the powershell payload onto the system, otherwise it will default to the normal and detectable EXE payload. Long story short, this will run a single command (long command) from the applet which will inject the payload straight into memory and execute.

This concept, implementation, and some code was taken from many sources including ReL1k @ secmaniac.com and Matthew Graeber @ exploit-monday.com

Related articles: http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html

http://www.secmaniac.com/blog/2011/10/26/the-social-engineer-toolkit-v2-2-codename-son-of-flynn-has-been-released/

Enjoy! Feedback is appreciated!

Edited by leg3nd
  • Replies 95
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Posted

I just updated jasagerPwn to 1.3

I try to test the java attack, but my victim's computer wouldn't get any "java update" popup or message.

Could you post your Pineapple's configuration (etc/config network, wireless, and everything else you changed)

I would like to compare your settings with my settings.

Thank you leg3nd, and keep doing what you do best...

Posted (edited)

Jmanuel, Please specify more information regarding your network setup, what OS your victim is running, etc. I am not able to recreate the issue with a fully patched windows 7 machines running AV and windows firewall.

Here are ALL the configuration files within /etc/config/ on my pineapple.. Good luck.

http://info-s3curity.com/jasagerpwn/config.tar.gz

EDIT: If anyone is able to test the latest revision on pineapple mark 3 and report any potential issues, I would greatly appreciate it. I do not have that model to test with. Thanks.

Edited by leg3nd
  • 2 weeks later...
Posted

Hi,

im having some problems, i have tried setting up ICS by following the 2 ways explained here (and they both work)

http://forums.hak5.org/index.php?showtopic=20930

but when starting the jasagerpwn script im back to having no positive nslookups from the victim, even though i can ping both the BT5 laptop and 8.8.8.8 great..

anyone else have this problem? and if yes, how did you fix it?

Posted (edited)

Try setting the "staticGateway" variable in the top of the script, if that doesn't work you can try to change line 147 from..

iptables --table nat --append PREROUTING --in-interface $fonEthernet -p udp --dport 53 -j DNAT --to $gatewayIP

to

iptables --table nat --append PREROUTING --in-interface $fonEthernet -p udp --dport 53 -j DNAT --to 8.8.8.8

If you are still not able to resolve dns, try running 'ipconfig /flushdns' on the victim. Sometimes DNSspoof will leave bad records on the victim if you were trying any of the attacks. Good luck.

EDIT:

I'll be adding some other settings to disable many of the extra tools which are now included with the Pineapple Mark 3 as well as some other code clean ups. I do not have a mark 3 to test with, If Hak5 wants to send me one, then I would be glad to integrate everything with it. Until then you will still need to run DHCP on the attacker machine and not the pineapple.

Also, anyone having issues with the applet attack against XP or 2K3 victims, I added a temporary fix. It does not bypass anti-virus, but I will add a shellcodeexec payload to do that once I get some time.

Lastly, There are some great browser exploits released relatively recently for firefox 4 and IE8, so if there is anytime to use browserPwn it would be now!

Edited by leg3nd
  • 2 weeks later...
Posted

i got a problem with the pineapple after a flash, thing is it flash succesfully, no problems.

and then im moving onto your script, and i am going to disable dnsmasq, which i cant since im only getting the

"root@OpenWrt:~# dnsmasq off

dnsmaq: failed to create a listening socket: Address already in use"

any ides on how to remedy this?

Posted

Never had this issue, but that is not the way I generally disable dnsmasq. I'm not sure how it will work that way.

I generally use the following, as stated on the installation and howto page. If that doesn't help then I'm not sure on the top of my head, appears to me that either that service is still running or another service is on that port causing a conflict.

/etc/init.d/dnsmasq stop

/etc/init.d/dnsmasq disable

Posted (edited)

I have released version 1.4 - The main changes are streamlined code and additional AV prevention. I took the time to go through and remove a lot of the bloated and unneeded code, and changed a few things in order to speed things up. Overall it was reduced by about 200 lines.

Now payloads will only be created once, rather then every time you run an attack. They will be generated the first time you run any attack which requires them, and the same payloads will be reused if you decide to switch attacks, this speeds things up exponentially on slower computers such as netbooks.

I also added in a script I made a couple weeks back to dynamically compile meterpreter payloads for windows rather then using the default metasploit payload. This basiclly outputs C code from msfpayload, adds in random data into different datatypes within that C code, then compiles it. This will cause the signature of the EXE to change, and although some AVs may still detect it, it will drop the detection rate over 60% (Yes this bypasses norton, mcafee, avast, and avg).

Here are the VirusTotal results for one of the payloads, results may vary and may worsen over time as vendors catch on.

Normal Meterpreter: Normal Metasploit Generated Meterpreter

Obfuscated Meterpreter: Custom Compiled Meterpreter

Lastly, I added in a basic script to monitor the interface for potential SSN's and CCN's. This can be disabled with the "Extras" variable as well.

I did change quite a bit and tested it, but if you do find any bugs or have feedback please feel free to post.

Edited by leg3nd
  • 4 weeks later...
Posted

The script will work fine on a MK3 assuming you can get it setup correctly, I have posted some basic instructions on this but do not have a MK3 to test or configure this with. The instructions are purely from output people have sent me and helping a couple people with troubleshooting.

It is likely that you will need to do additional steps, but it should point you in the correct direction. The post is here..

http://forums.hak5.org/index.php?showtopic=24966

  • 3 weeks later...
  • 4 weeks later...
Posted

hey, from what ive read Jasagerpwn for the mk.2 is discontinued, but i wonder i you could upload the .tar again so we can spread it (if you allow that, ALL the credit for you also!) or check so that it is still on your website.

//Best regards!

  • 2 weeks later...
Posted (edited)

This can work with the mark 3, You can download it from my website but it is better to use the svn checkout command on the googlecode page instead.

svn checkout http://jasagerpwn.googlecode.com/svn/trunk/ jasagerpwn

I uploaded the .tar.gz file again for you if you do not want to use SVN to download it. I will still support the project but not as much since people do not appear to use it as much anymore.

Edited by leg3nd
Posted

This can work with the mark 3, You can download it from my website but it is better to use the svn checkout command on the googlecode page instead.

svn checkout http://jasagerpwn.googlecode.com/svn/trunk/ jasagerpwn

I uploaded the .tar.gz file again for you if you do not want to use SVN to download it. I will still support the project but not as much since people do not appear to use it as much anymore.

I love jasager pwn, I got sad when I started having issues with it, and started having issues with jasager in general and completely switched to the easycreds script and SET for java applet.

I'm looking forward to v4, and I hope to see jasagerpwn updated for that.

Posted

Post any issues that you started to have here and I am sure I can fix them pretty easily. I have been very busy working and traveling, which in tandem with the release of Mark 3, has caused me to not spend much development time on it.

I will request a Mark 4 and get it setup for that when it becomes available assuming people still use the script.

As of right now, it still works fine for me on my Mark 2.

Posted

Post any issues that you started to have here and I am sure I can fix them pretty easily. I have been very busy working and traveling, which in tandem with the release of Mark 3, has caused me to not spend much development time on it.

I will request a Mark 4 and get it setup for that when it becomes available assuming people still use the script.

As of right now, it still works fine for me on my Mark 2.

I'm going to wait until I can get a mark 4, then I'll start using it again, and using your script. keep up the good work leg3nd.

  • 1 month later...
Posted (edited)

I'm going to wait until I can get a mark 4, then I'll start using it again, and using your script. keep up the good work leg3nd.

I have the mark 4, and jasagerPwn works perfectly

Is it possible to disable DHCP on jasagerPwn, so it can be use from the pineapple. What do you think?

Edited by Jmanuel
Posted (edited)

I just started to use your tool : leg3nd, you're a genius !

I want to buy a pineapple box but it's out of order :(

Just a question :

Can I disable the wlan option ?

Since I work on vm network or on cabled network.

If I let the variable wifi empty, the script isn't happy.

PS :

Maybe you could add a DHCP attack

ex : loop with random mac adresses and ask ip's to fill the dhcp server pool, so he cannot serve adresses anymore. cf hak5 show (forgot which episode :unsure: )

EDIT :

Episode 7x02 (DHCP Exhaustion). This seems to be a msf module (digininja), maybe you can handle this in your awsome tool.

Thanks man !

Edited by Hackrylix

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...