C0de_Expl01t Posted September 12, 2011 Share Posted September 12, 2011 Greetings to everybody that is reading this tread. I recently got my hands on a wifi pineapple v1. i configured it inthe following way.. my laptop ethernet interface 192.168.137.10/24 and the wifi 192.168.137.1 this is to route all the traffic trough my laptop my internet connection is trough my wireless so i get all the traffic from the ethernet and pass it onto the wireless. i got this all working an can see all gthe traffic in wireshark... So now i am sort of stuck at Man-In-The-Middle atack... with my other projects i used firesheep and cain to get all the session cookies... Before i ask my question let me state that i am assisting law enforcement with a project. This is what i want to achieve. i need to get access to the cookies/sessions .. i need to be able to log into their gamil/facebooks accounts. Here is my question: What will you use to steal session information Does ferret and hamster still work ? or is there new tools that is being used.. to get this information. I am still reading and watching videos in this matter, and must say that the majority of them are still referring to hamster and ferret. now i know that firesheep does not work on gmail and facebook anymore. i am just pushed for time, that is why i am asking this quesiton regards... Oh and nice site... i really enjoy the videos Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted September 12, 2011 Share Posted September 12, 2011 If you're "assisting law enforcement" they should be able to get a warrant from google directly, and they can send you the passwords so you won't have any need to illegally steal cookies. Is this where all those billions of government spent techonology dollars go, to guys like you to come on Hak5 to ask if Ferret & Hamster works for session hijacking? Quote Link to comment Share on other sites More sharing options...
Jamo Posted September 12, 2011 Share Posted September 12, 2011 I think that ferret and hamster still works. firesheep just made it to the public, that cookies can be stolen. If you are MITM you could also try sslstrip. Quote Link to comment Share on other sites More sharing options...
C0de_Expl01t Posted September 14, 2011 Author Share Posted September 14, 2011 If you're "assisting law enforcement" they should be able to get a warrant from google directly, and they can send you the passwords so you won't have any need to illegally steal cookies. Is this where all those billions of government spent techonology dollars go, to guys like you to come on Hak5 to ask if Ferret & Hamster works for session hijacking? WOW nice reply!, clearly you know nothing about law enforcement! or what we want to achieve with this. and you don't even have a clue what government i am assisting. So if you cannot post anything positive or relating to the topic, please keep your pie hole closed! By the way, this government agency bought 6 pineapples from hak5 , but they struggle to get them to work, That is why they got me involved. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted September 15, 2011 Share Posted September 15, 2011 (edited) Pineapple is easy to use. Whatever government you are associated with should contract myself or someone more experienced if you yourself clearly do not know to fully utilize it. Pro Tip: Do not insult people who give responses about legalities when it seems that you yourself have no clue on how it works. If you are actively doing the 'investigation' you need the proper warrants and paperwork to essentially 'wire-tap' the individual/s. If you are doing it in a lab environment as 'training' then you are fine, given all parties have given a form of consent to allow such activities to take place on their connections. Also in order to get into gmail/facebook (sounds like you are some amateur wanna be hacker, based off of your 'leet-speak' username and specified interest in gmail/facebook with poor spelling.) you will need to circumvent the SSL that is in place on most logins. You would probably have more success with using social exploitation, a legal warrant to get the account information, or learn how to properly MITM. Also, the Jasager/Pineapple project can be done with a laptop with multiple wifi cards or one wifi card with 1 LAN card, and an internet source. It can also be done with ANY router and sniff the traffic with a laptop being the MITM (Although this method will not 'trick' users to connect to it). Edited September 15, 2011 by Mr-Protocol Quote Link to comment Share on other sites More sharing options...
C0de_Expl01t Posted September 15, 2011 Author Share Posted September 15, 2011 Pineapple is easy to use. Whatever government you are associated with should contract myself or someone more experienced if you yourself clearly do not know to fully utilize it. Pro Tip: Do not insult people who give responses about legalities when it seems that you yourself have no clue on how it works. If you are actively doing the 'investigation' you need the proper warrants and paperwork to essentially 'wire-tap' the individual/s. If you are doing it in a lab environment as 'training' then you are fine, given all parties have given a form of consent to allow such activities to take place on their connections. Also in order to get into gmail/facebook (sounds like you are some amateur wanna be hacker, based off of your 'leet-speak' username and specified interest in gmail/facebook with poor spelling.) you will need to circumvent the SSL that is in place on most logins. You would probably have more success with using social exploitation, a legal warrant to get the account information, or learn how to properly MITM. Also, the Jasager/Pineapple project can be done with a laptop with multiple wifi cards or one wifi card with 1 LAN card, and an internet source. It can also be done with ANY router and sniff the traffic with a laptop being the MITM (Although this method will not 'trick' users to connect to it). ok, so let me type slowly this time to avoid the spelling mistakes. the law enforcement side of things, well i am not doing this, this is a requirement of the project. in any case... just out of interest, this internet cafe is doing 419 scamming (Nigerians)when you provide google with a warrant they have to give the account holder a opportunity to respond to this claim, and this is where the case get compromised. The 419 scammer can then delete/change the evidence... hence the law enforcement agency want to intercept the transmission without anybody knowing about this. ** so i guess somebody is going to say something about this now again, so let's forget side of the story. ** i dont care if it is legal or not, i despise these 419 scammers, so i will assist them in getting there device to work. just so that you know, i am not involved in the investigation, at all. i am just assisting them... enough said.! i know the jasager project can be done with a laptop and any wireless AP, i used this about a year ago... "(Although this method will not 'trick' users to connect to it)" that is why i have suggested the pineapple. i already have this device working and can see all the traffic, it is being routed trough a notebook, so all the clear text passwords are being captured. i use cain and wireshark to get this info. my main question was around hamster and ferret. "(sounds like you are some amateur wanna be hacker," whateva whateva whateva.... and again you have to attack the person, you start of in your pro tip to say ... do not insult people... and what do you do ? My goal was to setup a Certificate service that will offer a fake cert to the victim, .. to decrypt the SSL connection and the encrypt it again...but i will look for the answer on another forum, clearly you guys are only interested in the person and the nic, but not the question at hand. Quote Link to comment Share on other sites More sharing options...
C0de_Expl01t Posted September 15, 2011 Author Share Posted September 15, 2011 Pineapple is easy to use. Whatever government you are associated with should contract myself or someone more experienced if you yourself clearly do not know to fully utilize it. Pro Tip: Do not insult people who give responses about legalities when it seems that you yourself have no clue on how it works. If you are actively doing the 'investigation' you need the proper warrants and paperwork to essentially 'wire-tap' the individual/s. If you are doing it in a lab environment as 'training' then you are fine, given all parties have given a form of consent to allow such activities to take place on their connections. Also in order to get into gmail/facebook (sounds like you are some amateur wanna be hacker, based off of your 'leet-speak' username and specified interest in gmail/facebook with poor spelling.) you will need to circumvent the SSL that is in place on most logins. You would probably have more success with using social exploitation, a legal warrant to get the account information, or learn how to properly MITM. Also, the Jasager/Pineapple project can be done with a laptop with multiple wifi cards or one wifi card with 1 LAN card, and an internet source. It can also be done with ANY router and sniff the traffic with a laptop being the MITM (Although this method will not 'trick' users to connect to it). ok, so let me type slowly this time to avoid the spelling mistakes. the law enforcement side of things, well i am not doing this, this is a requirement of the project. in any case... just out of interest, this internet cafe is doing 419 scamming (Nigerians)when you provide google with a warrant they have to give the account holder a opportunity to respond to this claim, and this is where the case get compromised. The 419 scammer can then delete/change the evidence... hence the law enforcement agency want to intercept the transmission without anybody knowing about this. ** so i guess somebody is going to say something about this now again, so let's forget side of the story. ** i dont care if it is legal or not, i despise these 419 scammers, so i will assist them in getting there device to work. just so that you know, i am not involved in the investigation, at all. i am just assisting them... enough said.! i know the jasager project can be done with a laptop and any wireless AP, i used this about a year ago... "(Although this method will not 'trick' users to connect to it)" that is why i have suggested the pineapple. i already have this device working and can see all the traffic, it is being routed trough a notebook, so all the clear text passwords are being captured. i use cain and wireshark to get this info. my main question was around hamster and ferret. "(sounds like you are some amateur wanna be hacker," whateva whateva whateva.... and again you have to attack the person, you start of in your pro tip to say ... do not insult people... and what do you do ? My goal was to setup a Certificate service that will offer a fake cert to the victim, .. to decrypt the SSL connection and the encrypt it again...but i will look for the answer on another forum, clearly you guys are only interested in the person and the nic, but not the question at hand. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted September 15, 2011 Share Posted September 15, 2011 ok, so let me type slowly this time to avoid the spelling mistakes. the law enforcement side of things, well i am not doing this, this is a requirement of the project. in any case... just out of interest, this internet cafe is doing 419 scamming (Nigerians)when you provide google with a warrant they have to give the account holder a opportunity to respond to this claim, and this is where the case get compromised. The 419 scammer can then delete/change the evidence... hence the law enforcement agency want to intercept the transmission without anybody knowing about this. Still illegal to wiretap unless there is a warrant. Moving on. i know the jasager project can be done with a laptop and any wireless AP, i used this about a year ago... "(Although this method will not 'trick' users to connect to it)" that is why i have suggested the pineapple. The plain router and laptop as MITM would not trick users. A laptop running Karma WILL trick the users. Pineapple == Karma i already have this device working and can see all the traffic, it is being routed trough a notebook, so all the clear text passwords are being captured. i use cain and wireshark to get this info. my main question was around hamster and ferret. Eww Windows user, Use linux (BT5R1 has tools pre-installed) "(sounds like you are some amateur wanna be hacker," whateva whateva whateva.... and again you have to attack the person, you start of in your pro tip to say ... do not insult people... and what do you do ? Double standards suck huh? You are a new user, and your first post was begging for help and the second being offensive to other users. Ok moving on.. My goal was to setup a Certificate service that will offer a fake cert to the victim, .. to decrypt the SSL connection and the encrypt it again...but i will look for the answer on another forum, clearly you guys are only interested in the person and the nic, but not the question at hand. So either use SSL Strip or google how to use SSL Strip and/or setup your fake cert. All the info is out there. In closing, maybe the people who hired you don't know how to google or should hire someone more experienced... Quote Link to comment Share on other sites More sharing options...
RebelCork Posted April 2, 2012 Share Posted April 2, 2012 I know this is an old thread,but I'm just reading this now, and think it's so funny. Guys buy equipment, thinking everyone here are members of a certain hacker group or something. When the guy mentioned the old 419 thing, I almost felt pity on the lad. Mr. Protocol, you should have 'scam baited' him. Guys like C0de_Expl01t give genuine people a bad name! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.