Jump to content

PSA: Phishing Pages


Sebkinne

Recommended Posts

Correct, Foxtrot. People wouldn't be able to see the WiFi Pineapple forum unless they're logged in, although they will readily be able to search and see the rest of the forums. And there is nothing that will prevent them from registering, unless things are arranged such that only confirmed purchasers of the Pineapple are allowed to register. I wouldn't presume to second guess the Owners/Administrators of the forum on that note, as that decision is completely up to them.

I'm not talking about a total blackout. I respect your opinion, and know first exactly what your opinion is on before coming to the conclusion that it's "stupid." The point of this idea is to prevent script kiddies and malicious hackers from abusing the information contained in this forum. Just as important, the corollary to this is that we, the (hopefully) responsible owners and users of the Pineapple will be able to more freely talk about and share our ideas. An "invisible" forum is also non-crawlable by G, which will prevent the kiddies and the malicious from being led here when they're looking for an easy score to do some harm, not to mention over-cluttering the forum with incessant, nonsensical requests and over-burdening the Administrators/Moderators with headaches, and then by necessity, them having to impose more and more restrictions.

Hak5 will retain it's presence, ranking and standing on G and other search engines as much as it does now. Only the number of script kiddies and malicious people seeking to abuse the Pineapple (even non-related things) will be drastically reduced. IMO, I say that's very good for Hak5 as a whole, for the Pineapple forum, for the Administrators and moderators or the forums, and for us.

Link to comment
Share on other sites

I don't really see putting anything private as helping. It's free to make an account and rather simple. It's not a matter of "hiding" anything about the project. It is about not letting it be perceived as a criminal tool.

Hence the Disclaimer which is posted everywhere.

WiFi Pineapple is a wireless penetration testing tool
for use in authorized security audits where permitted.
Check laws and obtain client permission before using.
Hak5, LLC., Darren Kitchen, Robin Wood, Rob Fuller,
Sebastian Kinne and affiliates claim no responsibility for
unauthorized use. Please Hack Responsibly.

This is similar to how BackTrack/Kali forums work. If a user is asking for help which is perceived as a criminal act, the user is given the appropriate actions.

Link to comment
Share on other sites

But can make some post private, only for memebers that reach a number of posts.

Yes exactly, Boba Fett. This is but one of the proposed ideas. I had used this in my past fourm to great effect. Forum members could not reach a restricted, inner forum until they accumulated 100 posts, which presumed they weren't foolish enough or irresponsible enough to get booted along the way. 999 out of 1000 malicious people of any variety will never stick around long enought to make 100 coherent, cordial posts if they're just looking for something to cause some quick mayhem. I hate to use cliche, but where the malicious leechers are concerned, those 100 posts literally are like garlic to a vampire.

Link to comment
Share on other sites

I don't really see putting anything private as helping. It's free to make an account and rather simple. It's not a matter of "hiding" anything about the project. It is about not letting it be perceived as a criminal tool.

Hence the Disclaimer which is posted everywhere.

This is similar to how BackTrack/Kali forums work. If a user is asking for help which is perceived as a criminal act, the user is given the appropriate actions.

I understand exactly what you are saying, Mr-P. Moreover I, still, agree with your premise. My suggestion is not to hide the forum for the sake of hiding it, but rather to abscure it to the malicious .... those who would readily use the Pineapple as a criminal tool ... precisely what you ... what we want to avoid. Think of how you might deal with a firearm. If you have one, you don't throw it away if you have a child, or if the potentiality or malicious people breaking in exists, but you do put child safety locks on it, even perhaps put it in a safe to keep it out of the hands of your child or malicious intruders should they come around. By taking these steps to reduce the aforementioned scenario, you drastically reduce the possibilty of the firearm being used as a criminal tool, or being misused by a curious but mischievous child who may not know any better. I would argue nothing more or less is the goal here.

My main concern is this: as knowledge of the WiFi Pineapple becomes more freely disseminated, you will, by simple necessity and cause and effect, have to tighten down and become more and more restrictive regarding the features/abilities of the Pineapple. I've seen it before, on large and small scale. And the primarly loss is not to those who were malicious to begin with. The primary loss is to you ... to us, the people who were resposible to begin with. Just as thugs and criminals give firearms a bad name, malicious hakers will give the Pineapple a bad name.

And for the moment, the Disclaimer notwithstanding, it would be nice if the malicious or criminal minded were always courteous enough to telegraph their neferious intent. But most of them don't. Once enough of these types have committed enough acts and enough obdurate complaints received, it may well be bye-bye forum. I don't want to see that happen and am sure I'm not alone in that regard.

As I made clear from the beginning, the suggestions I set forth are genuinely and only my humble opinion, backed by some direct experience. Consider them or dismiss them as you see fit.

Link to comment
Share on other sites

Then that 100 posts would currently make it private to even you with 48 posts. I don't feel we should do a post limit due to people who may have never signed up with the forums and have professional intentions.

I certainly can't speak for others, but I'd be willing to wait until 100 posts, even 200 posts, as long as it means I can more freely share information with the members of that forum. My goal is the same as yours; preserve the integrity of the WiFi Pineapple. And being relegated to the "outside" forum isn't a death sentence. If they're a professional, they'll understand that, as well as the need for the precautions.

Link to comment
Share on other sites

  • 2 weeks later...

As a member of the forum for over a year, and admitingly, not posting a great deal, all I can think of is one thing..

With Great Power Comes Great Responsibility ( Sorry ;) )

In fairness though, there does seem to be a large amount of kiddies recently, but that's kind of expected as the popularity of the pineapple reaches a bigger audience.

In my opinion, although it goes against my own personal beliefs, is simply just ignore the "How do I hack FB ?" type posts. Looking through reddit, these posts simply disappear soon enough. Look also at the posters, they post between 1 and 5 posts like this and go away. If they are genuine noobs (I was one too) then they'll hopefully go away and learn how to code, how to hack responsibly and when they come back mature a bit.

As stated above, genuine Pentesters will often create phish pages on the fly. It really isnt hard.

Sorry for adding to the debate, but I really hate it when the community frangments over an issue like this. The openness and genuine help that I have received from users here has been fantastic. It'd be harmful to the community if we couldn't genuinely help newcomers with genuine problems (ICS problems, etc)

Link to comment
Share on other sites

  • 1 month later...

As a Hak5 fan and Pineapple owner, I would like to say, I've been to the forums a bunch of times just to see what's going on and to check out what other people have been using their pineapples for. I only made an account when I couldn't access the web interface and didn't realize the update changed the address of the web interface from 172.16.42.1/pineapple to 172.16.42.1:1471 but I ended up finding it in the forum and didn't have to post :)

For this reason and many others, it would be a very bad idea to limit the forums for anyone, especially segregation based on the number of posts made! No offence but that's a really counter productive idea, it would surely almost halt the growth of the community.

I don't see why everyone is debating this to such an extent, especially you Zephyr. The only way to really stop script kiddies, regardless of membership/post status whatever, is to stop breast-feeding them scripts. As soon as you put a post limitation and they find out (like by reading this thread) they'll start posting total crap just to increase their count, which provides only headaches for the community and especially the mods. It is pointless.

Further more, this isn't even a script kiddie issue, it's a moral/legal issue (maybe even a pineapple image issue). The "read first" disclaimer post clearly states the forums will not encourage malicious intent, period. This is a standard across most forums.

Link to comment
Share on other sites

  • 2 months later...

Also being a newbie here and having no authority :P (thanks Zephyr for your earlier comment I agree 100%) I just wanted to add that I enjoy building phishing pages myself and I believe that adds to the learning process that is so important in the field of pentesting. I understand why sharing them would be beneficial, helping eachother and making suggestions from experience, etc. Unfortunately too many people troll forums like these looking for easy ways to h@kz0r their friend's facebook page, etc. This is something that we all have experienced throughout forums from the days of totse to now. In the past on forums I could always PM others if we felt like sharing information of this calibur. :ph34r:

Link to comment
Share on other sites

  • 2 months later...

device that allows you to create dns redirects, facilitate mitm, and sniff login creds doesnt allow you to share phishing pages. odd

While I can understand the stance and the reason why (legality, public perception worries when the site is dependent on hardware sales and advertisment/sponsorship), it is an odd place for a hacker friendly site to be in. As hackers, we stand for common principles, one of which is the free flow of information regardless of the skill factor, political nature, public perception, and to some even legality.

Let us remember that legal concerns are temporal, dependent on location, and are subject to change with short notice. And remember, when we say NO DOGS Allowed, they are really just saying not allowed here.

one must ask themself, if we cant create or share phishing pages what else cant we do. What other features of the pineapple could be heald back ... in the internet world censorship isn't well liked.

Edited by bigthinker
Link to comment
Share on other sites

device that allows you to create dns redirects, facilitate mitm, and sniff login creds doesnt allow you to share phishing pages. odd

While I can understand the stance and the reason why (legality, public perception worries when the site is dependent on hardware sales and advertisment/sponsorship), it is an odd place for a hacker friendly site to be in. As hackers, we stand for common principles, one of which is the free flow of information regardless of the skill factor, political nature, public perception, and to some even legality.

Let us remember that legal concerns are temporal, dependent on location, and are subject to change with short notice. And remember, when we say NO DOGS Allowed, they are really just saying not allowed here.

one must ask themself, if we cant create or share phishing pages what else cant we do. What other features of the pineapple could be heald back ... in the internet world censorship isn't well liked.

Guess your post boils down to the definition of hacker. That is a very vague term.

The pineapple has been, and will be, considered, developed and marketed as a pentesting device.

That defined, the subforums dedicated to these devices are also, by definition, to discuss and support the device in that context.

Are script kiddies who have one post and one goal "pentesters"? Those with a financial stake and have defined how they want their forums to be viewed have decided how they want their resources to be considered for various reasons. The forums are their resources, and its their option as to how those resources are used.

Are you free to decide for yourself how you define "hacker", or how you use the device, or what info you want to share? Sure. Everyone here would agree.

Are you free to use the forums in that fashion? Within the rules set by those who run them and have financial stake in them, sure. They have decided that, open offerings of phishing pages has a negative impact on just why people come here. Those who have a stake in this have made a decision, theyve explained their position, and have stated you're free to exchange them via pm, etc, but openly offering phishing pages is tantamount to offering point and click scripts for people who simply want to use the device for reasons that aren't in line with the stated purpose of the device and project, or even the forums.

There are plenty of resources readily available to get 100s of pages with a click (insert lmgtfy link here). Its been decided that the forum resources will not be used for that.

There is a distinct difference between "censorship" and the right to use your own resources in the fashion you choose to.

Keep in mind the freedom to choose a different place to spend your time is always a choice one has open to them, 100%.of the time.

Link to comment
Share on other sites

device that allows you to create dns redirects, facilitate mitm, and sniff login creds doesnt allow you to share phishing pages. odd

While I can understand the stance and the reason why (legality, public perception worries when the site is dependent on hardware sales and advertisment/sponsorship), it is an odd place for a hacker friendly site to be in. As hackers, we stand for common principles, one of which is the free flow of information regardless of the skill factor, political nature, public perception, and to some even legality.

Let us remember that legal concerns are temporal, dependent on location, and are subject to change with short notice. And remember, when we say NO DOGS Allowed, they are really just saying not allowed here.

one must ask themself, if we cant create or share phishing pages what else cant we do. What other features of the pineapple could be heald back ... in the internet world censorship isn't well liked.

Let me preface this post by saying I'm a little tipsy. But we allow discussion of phishing pages, but not when it comes to facebook and other social media. This is a pen-testing tool, not a "how 2 hax facebook @cnts" or whatever. Even though legal concerns are dependent on location, this is primarily US based (US Based as Hak5, LLC) and I'm sure the laws for unauthorized access using/of a computer system are pretty common, cover most people that purchase it. And if you are a professional pen tester, you wont need to ask on a forum how to make a website clone phishing page.

Also, what hfam said. Thanks btw for posting that. Read it after I made my post :P

Link to comment
Share on other sites

  • 3 weeks later...

The Joy of Hacking

Personally, I am relieved the phishing pages were not ready made. Seb...it absolutely did not take 10min for me to construct my first page, it took much longer. That, however, was my first page. I found it necessary to put in some seat time and learn php, html, css, javascript and so forth. So what Seb says is on the money, once you learn how the integration works, its pretty much find, fix and forget..which is boring as hell.

As with everything, the pain of learning is the reward and there are no shortcuts for that. It isn't worth it guys...if you are not finding joy in the learning process, then there is an open wire within your hacker ethos. This is a craft. Letting others do the seat time will rob you of the fun. When you invest your time and mind you get the whole experience. That is the point of living outside the box.

The pointers are great, but the handouts are theft of joy.

It would be so much better to see posts akin to say "What is the difference between an inline CSS style file reference for a HTML table within a form and a standard file reference within an html tag?" That is someone who is trying to learn. That is also someone who is having all the fun.

And one other thing...if I were a black-hat...I would very much want to know everything about what my gear is doing...all the way down to every line of code if possible. For obvious reasons.

Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...