leg3nd Posted October 31, 2011 Author Posted October 31, 2011 (edited) I am pleased to announce a major update in jasagerPwn, to version 1.3 (rev53). Every java applet attack against Windows will now utilize a new vector that spawns a meterpreter shell through powershell injection straight into memory. Since no payload never touches disk, Anti-virus (Yes, ALL anti-viruses) will not detect it. This will only be viable on machines with powershell installed, it is by default in Vista and Windows 7, but not XP. The full process in which this works is tedious, but I will try to explain it briefly. First we prepare some alphanumeric shellcode that can be used, we simply use msfvenom/msfpayload to do this. Then we parse this shellcode into a usable format, and convert the powershell command and payload into an "Encoded Command". The powershell "Encoded command" will bypass all powershell execution restriction policies. Then the java applet will first detect weather the victim has powershell installed. If it does, it will deploy the powershell payload onto the system, otherwise it will default to the normal and detectable EXE payload. Long story short, this will run a single command (long command) from the applet which will inject the payload straight into memory and execute. This concept, implementation, and some code was taken from many sources including ReL1k @ secmaniac.com and Matthew Graeber @ exploit-monday.com Related articles: http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html http://www.secmaniac.com/blog/2011/10/26/the-social-engineer-toolkit-v2-2-codename-son-of-flynn-has-been-released/ Enjoy! Feedback is appreciated! Edited October 31, 2011 by leg3nd Quote
Jmanuel Posted November 1, 2011 Posted November 1, 2011 I just updated jasagerPwn to 1.3 I try to test the java attack, but my victim's computer wouldn't get any "java update" popup or message. Could you post your Pineapple's configuration (etc/config network, wireless, and everything else you changed) I would like to compare your settings with my settings. Thank you leg3nd, and keep doing what you do best... Quote
leg3nd Posted November 2, 2011 Author Posted November 2, 2011 (edited) Jmanuel, Please specify more information regarding your network setup, what OS your victim is running, etc. I am not able to recreate the issue with a fully patched windows 7 machines running AV and windows firewall. Here are ALL the configuration files within /etc/config/ on my pineapple.. Good luck. http://info-s3curity.com/jasagerpwn/config.tar.gz EDIT: If anyone is able to test the latest revision on pineapple mark 3 and report any potential issues, I would greatly appreciate it. I do not have that model to test with. Thanks. Edited November 13, 2011 by leg3nd Quote
httpCRASH Posted November 13, 2011 Posted November 13, 2011 Hi, im having some problems, i have tried setting up ICS by following the 2 ways explained here (and they both work) http://forums.hak5.org/index.php?showtopic=20930 but when starting the jasagerpwn script im back to having no positive nslookups from the victim, even though i can ping both the BT5 laptop and 8.8.8.8 great.. anyone else have this problem? and if yes, how did you fix it? Quote
leg3nd Posted November 13, 2011 Author Posted November 13, 2011 (edited) Try setting the "staticGateway" variable in the top of the script, if that doesn't work you can try to change line 147 from.. iptables --table nat --append PREROUTING --in-interface $fonEthernet -p udp --dport 53 -j DNAT --to $gatewayIP to iptables --table nat --append PREROUTING --in-interface $fonEthernet -p udp --dport 53 -j DNAT --to 8.8.8.8 If you are still not able to resolve dns, try running 'ipconfig /flushdns' on the victim. Sometimes DNSspoof will leave bad records on the victim if you were trying any of the attacks. Good luck. EDIT: I'll be adding some other settings to disable many of the extra tools which are now included with the Pineapple Mark 3 as well as some other code clean ups. I do not have a mark 3 to test with, If Hak5 wants to send me one, then I would be glad to integrate everything with it. Until then you will still need to run DHCP on the attacker machine and not the pineapple. Also, anyone having issues with the applet attack against XP or 2K3 victims, I added a temporary fix. It does not bypass anti-virus, but I will add a shellcodeexec payload to do that once I get some time. Lastly, There are some great browser exploits released relatively recently for firefox 4 and IE8, so if there is anytime to use browserPwn it would be now! Edited November 17, 2011 by leg3nd Quote
Cassiopeia Posted November 25, 2011 Posted November 25, 2011 i got a problem with the pineapple after a flash, thing is it flash succesfully, no problems. and then im moving onto your script, and i am going to disable dnsmasq, which i cant since im only getting the "root@OpenWrt:~# dnsmasq off dnsmaq: failed to create a listening socket: Address already in use" any ides on how to remedy this? Quote
leg3nd Posted November 27, 2011 Author Posted November 27, 2011 Never had this issue, but that is not the way I generally disable dnsmasq. I'm not sure how it will work that way. I generally use the following, as stated on the installation and howto page. If that doesn't help then I'm not sure on the top of my head, appears to me that either that service is still running or another service is on that port causing a conflict. /etc/init.d/dnsmasq stop /etc/init.d/dnsmasq disable Quote
leg3nd Posted November 30, 2011 Author Posted November 30, 2011 (edited) I have released version 1.4 - The main changes are streamlined code and additional AV prevention. I took the time to go through and remove a lot of the bloated and unneeded code, and changed a few things in order to speed things up. Overall it was reduced by about 200 lines. Now payloads will only be created once, rather then every time you run an attack. They will be generated the first time you run any attack which requires them, and the same payloads will be reused if you decide to switch attacks, this speeds things up exponentially on slower computers such as netbooks. I also added in a script I made a couple weeks back to dynamically compile meterpreter payloads for windows rather then using the default metasploit payload. This basiclly outputs C code from msfpayload, adds in random data into different datatypes within that C code, then compiles it. This will cause the signature of the EXE to change, and although some AVs may still detect it, it will drop the detection rate over 60% (Yes this bypasses norton, mcafee, avast, and avg). Here are the VirusTotal results for one of the payloads, results may vary and may worsen over time as vendors catch on. Normal Meterpreter: Normal Metasploit Generated Meterpreter Obfuscated Meterpreter: Custom Compiled Meterpreter Lastly, I added in a basic script to monitor the interface for potential SSN's and CCN's. This can be disabled with the "Extras" variable as well. I did change quite a bit and tested it, but if you do find any bugs or have feedback please feel free to post. Edited November 30, 2011 by leg3nd Quote
Jippe Posted December 25, 2011 Posted December 25, 2011 Want to try this script but how to setup pineapple mk3. (karma, etc. settings?) Quote
leg3nd Posted December 26, 2011 Author Posted December 26, 2011 The script will work fine on a MK3 assuming you can get it setup correctly, I have posted some basic instructions on this but do not have a MK3 to test or configure this with. The instructions are purely from output people have sent me and helping a couple people with troubleshooting. It is likely that you will need to do additional steps, but it should point you in the correct direction. The post is here.. http://forums.hak5.org/index.php?showtopic=24966 Quote
Smoogle Posted January 12, 2012 Posted January 12, 2012 i dwonloaded the file from http://info-s3curity.com/jasagerpwn/jasagerPwn.tar.gz and i am unable to extract the tar.gz file in backtrack 5 r1 Quote
Cassiopeia Posted February 8, 2012 Posted February 8, 2012 hey, from what ive read Jasagerpwn for the mk.2 is discontinued, but i wonder i you could upload the .tar again so we can spread it (if you allow that, ALL the credit for you also!) or check so that it is still on your website. //Best regards! Quote
velkrosmaak Posted February 8, 2012 Posted February 8, 2012 Could someone confirm if this applies only to MKII pineapples, or Mark III as well? Thanks! Quote
ninjaman Posted February 8, 2012 Posted February 8, 2012 Could someone confirm if this applies only to MKII pineapples, or Mark III as well? Thanks! It works fine with both MKII and MKIII. Thank you l3gend! Quote
leg3nd Posted February 17, 2012 Author Posted February 17, 2012 (edited) This can work with the mark 3, You can download it from my website but it is better to use the svn checkout command on the googlecode page instead. svn checkout http://jasagerpwn.googlecode.com/svn/trunk/ jasagerpwn I uploaded the .tar.gz file again for you if you do not want to use SVN to download it. I will still support the project but not as much since people do not appear to use it as much anymore. Edited February 17, 2012 by leg3nd Quote
nopenopenope Posted February 23, 2012 Posted February 23, 2012 This can work with the mark 3, You can download it from my website but it is better to use the svn checkout command on the googlecode page instead. svn checkout http://jasagerpwn.googlecode.com/svn/trunk/ jasagerpwn I uploaded the .tar.gz file again for you if you do not want to use SVN to download it. I will still support the project but not as much since people do not appear to use it as much anymore. I love jasager pwn, I got sad when I started having issues with it, and started having issues with jasager in general and completely switched to the easycreds script and SET for java applet. I'm looking forward to v4, and I hope to see jasagerpwn updated for that. Quote
leg3nd Posted February 24, 2012 Author Posted February 24, 2012 Post any issues that you started to have here and I am sure I can fix them pretty easily. I have been very busy working and traveling, which in tandem with the release of Mark 3, has caused me to not spend much development time on it. I will request a Mark 4 and get it setup for that when it becomes available assuming people still use the script. As of right now, it still works fine for me on my Mark 2. Quote
nopenopenope Posted March 1, 2012 Posted March 1, 2012 Post any issues that you started to have here and I am sure I can fix them pretty easily. I have been very busy working and traveling, which in tandem with the release of Mark 3, has caused me to not spend much development time on it. I will request a Mark 4 and get it setup for that when it becomes available assuming people still use the script. As of right now, it still works fine for me on my Mark 2. I'm going to wait until I can get a mark 4, then I'll start using it again, and using your script. keep up the good work leg3nd. Quote
Jmanuel Posted April 8, 2012 Posted April 8, 2012 (edited) I'm going to wait until I can get a mark 4, then I'll start using it again, and using your script. keep up the good work leg3nd. I have the mark 4, and jasagerPwn works perfectly Is it possible to disable DHCP on jasagerPwn, so it can be use from the pineapple. What do you think? Edited April 8, 2012 by Jmanuel Quote
Hackrylix Posted April 12, 2012 Posted April 12, 2012 (edited) I just started to use your tool : leg3nd, you're a genius ! I want to buy a pineapple box but it's out of order :( Just a question : Can I disable the wlan option ? Since I work on vm network or on cabled network. If I let the variable wifi empty, the script isn't happy. PS : Maybe you could add a DHCP attack ex : loop with random mac adresses and ask ip's to fill the dhcp server pool, so he cannot serve adresses anymore. cf hak5 show (forgot which episode ) EDIT : Episode 7x02 (DHCP Exhaustion). This seems to be a msf module (digininja), maybe you can handle this in your awsome tool. Thanks man ! Edited April 12, 2012 by Hackrylix Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.