Jump to content

Owned My Neighborhood & android app ?...


JackChitt
 Share

Recommended Posts

I was being lazy yesterday and wanted to play with my pineapple but didn't feel like going anywhere. I have a pretty extensive wireless set up for my home that consist of a pair of 24dbi grid antennas for my own personal internet requirements. So I thought, "I wonder what would happen if I connected my pineapple's broadcasting end to it along with an amplifier I bought years ago to try to extend my wireless cards range." (epic fail) So I set everything up for data collection, kicked on karma and let her rip. I got a little side tracked watching tv and playing xbox. About a hour and a half later I decided to check it out, not expecting much.. I had 23 clients connected and I'm collecting all their credentials!! Best of all, it's mostly people I know and neighbors. I am still running it as I type this thread. The most clients I have seen at one time was 56. I don't live in a big city or anything but I am most satisfied with my results so far. I do have one problem though.. I would like to either block internet to android apps or find a way to de-authenticate them before they can be used when first connected to my network. Any ideas??

Link to comment
Share on other sites

You're using SMA antennas? Or are you using the SMA to rp-sma adapters?

And what do you mean by android apps? Do you mean block specific hardware like Android phones/Tablets? Not really sure what you mean...

Link to comment
Share on other sites

Maybe there are certain blocks of MAC addresses that are assigned to android devices? I am new to the whole WIFI pineapple thing though, so I don't know. Heard that some devices are assigned certain blocks of MAC addresses, like the pineapples, which is why a mac changer exe is sent along with each pineapple. You want to deauth the android clients that connect to your network right?

Another thing you could try is getting a list of the IP addresses that some of these apps contact, and if the device connects to one of these addresses deauth it. Would be very app specific.

Edited by overwraith
Link to comment
Share on other sites

You're using SMA antennas? Or are you using the SMA to rp-sma adapters?

And what do you mean by android apps? Do you mean block specific hardware like Android phones/Tablets? Not really sure what you mean...

Yes I am using a N to SMA adapter. Okay let me explain myself a little better. Most all android apps keeps the user authenticated unless the user restarts the phone or kills the app via app manager. So even if the user connects to my network I will never see there creds no matter how much they use the app. I am asking if there is a way I can de-authenticate android apps so when it is reopened it will either ask for their info to log in or will authenticate like the app was freshly started.

Link to comment
Share on other sites

Or that will work as well..I would much rather find a way to deauth the app as to not cause suspicion.

What is "deauth the app"... what does that mean? Do you want to deauth the device that is connected to your pineapple? Or do you want to block a specific program? You keep mixing those terms and I understand their use differently with regards to the Pineapple....

Link to comment
Share on other sites

What is "deauth the app"... what does that mean? Do you want to deauth the device that is connected to your pineapple? Or do you want to block a specific program? You keep mixing those terms and I understand their use differently with regards to the Pineapple....

You must read the quote above my post to understand... I am not talking about de-authenticating a client from a wireless network. I am trying to sign a user out of an android app.

Edited by JackChitt
Link to comment
Share on other sites

Its actually harder than it sounds. Even if you cut off the connection to Facebook or Twitter, you wouldn't sign them out. Try putting your phone in airplane mode then open Facebook, it just says "no connection".

Even forwarding requests from ""http://www.facebook.com/logout.php" won't work, you just get redirected to "/home.php". I guess its down to either come kind of cookie or session type thing or maybe some PHP voodoo.

Haven't actually checked on my own Pineapple, but is there a way to do session hijacking? Would probably be the closest to what you're after.

Surprisingly, sites like Facebook and Twitter are actually pretty good at keeping user details tied up little bows so nasty hackers can't get to them..

Link to comment
Share on other sites

I totally understand what you are trying to say:

1) You have got several Android devices or iOS devices connected to your pineapple.

2) All have apps for facebook twitter or even mails are preconfigured within their device.

3) You are wondering how to get their credentials, since Mitm wont work.

This is the same thing i've been wondering, infact, if someone could develop some infusion that we would be able to use as post-exploitation that could copy their preconfigured password files from their device. Just a thought!!

Also, what about gmail using https now? I tried sniffing through ettercap and sslstrip, and i could'nt get the credentials.

Link to comment
Share on other sites

Also, what about gmail using https now? I tried sniffing through ettercap and sslstrip, and i could'nt get the credentials.

Maybe they use something a little more advanced now that cannot be downgraded to a lower form of encryption. I hear that SSL/TLS is supposed to be a better version of HTTPS.

Link to comment
Share on other sites

This is the same thing i've been wondering, infact, if someone could develop some infusion that we would be able to use as post-exploitation that could copy their preconfigured password files from their device. Just a thought!!

Not gonna happen, I'm afraid. You'd need to be able to get root access to the device remotely. That in itself is pretty unlikely!

*IF* you were able to get SSH access to the device (funnily enough is still pretty common on jailbroken iPhones, try root:alpine) then you can SCP out anything you like. On Androids, people tend to be a lot more tech-savvy and lock down their SSH or at least change the default password. It's not as simple as just 'copying out their preconfigured password files'.

The apps are pretty darn secure, and you're not gonna be able to just sniff out the logins because they remain authenticated unless the app is force-closed. Even if the internet connection is lost or the server is unavailable, they still won't attempt to re-authenticate. You'd have to be pretty damn lucky to grab a login from an app.

Maybe they use something a little more advanced now that cannot be downgraded to a lower form of encryption. I hear that SSL/TLS is supposed to be a better version of HTTPS.

As far as I know, SSL/TLS can't be downgraded to HTTPS/SSL 2.0, so yeah sslstrip isn't gonna work. It's actually surprising that sslstrip has remained working this long!

Link to comment
Share on other sites

I am asking if there is a way I can de-authenticate android apps so when it is reopened it will either ask for their info to log in or will authenticate like the app was freshly started.

I guess its down to either come kind of cookie or session type thing or maybe some PHP voodoo.

Neither of this will work. This apps are encrypting their data wich makes Man In The Middle Attacks pointless.

Maybe look into DNS spoof and running your own phishing pages?

In my expirience this seems the only way. Spoofing all traffic (172.16.42.1 *) will not let the app connect to it's servers wich will lead the app to show a "No Internet Connection"(even if the pineapple IS connected). After that 80% of the victims will try to use their browsers to check the internet connection and there is where your phishing page will appear.

F.Y.I

Apple devices check for internet connection every time they connect to a network. If there is a captive portal in this network (or you are spoofing all traffic to your phishing page) a pseydo-browser will pop-up and wont let the user do anything else (including using any of this apps) until it gets through the captive portal (or your phishing page by entering their credentials).

Link to comment
Share on other sites

Thank you so much for your valuable input, so this means that Jail Broken Iphones can be hacked if they are connected to our pineapple, is that right? If so, then what tool should be used to get access to the root, and where to look for the password files. I saw a tutorial on youtube for something similar:-

In this, the attacker uses armitage and metasploit to find vulnerabilities, checks if the iphone is jail broken, and if the default password is the same we gets access to the root.

Now here are my questions:-

1) We get an iphone connected to our pineapple. (Assuming it is jail broken)

2) Is it possible to use Armitage and Metasploit on backtrack along with pineapple?

3) Say, once we get access to the root, where to look for the "Password Files" or Login credentials that are stored in the apps?

I am new, and just curious, please excuse me if i sound stupid.

Furthermore, since we are talking about hacking iOS, shannon did a video in which she used a USB rubber ducky to put a persistent shell in mac which we can get access to through netcat. Now since such a simple script can accomplish that, is it not possible to have an injection similar to that but on the iphones? Instead of using usb rubber ducky for which we need to have physical access to the device, we could use an injection that can be put using this splash page. When the user clicks accept, the script is installed and we get access.

Not gonna happen, I'm afraid. You'd need to be able to get root access to the device remotely. That in itself is pretty unlikely!

*IF* you were able to get SSH access to the device (funnily enough is still pretty common on jailbroken iPhones, try root:alpine) then you can SCP out anything you like. On Androids, people tend to be a lot more tech-savvy and lock down their SSH or at least change the default password. It's not as simple as just 'copying out their preconfigured password files'.

Link to comment
Share on other sites

In my expirience this seems the only way. Spoofing all traffic (172.16.42.1 *) will not let the app connect to it's servers wich will lead the app to show a "No Internet Connection"(even if the pineapple IS connected). After that 80% of the victims will try to use their browsers to check the internet connection and there is where your phishing page will appear.

First of all, Thanks guys for all your valuable input on this issue. I have been doing something similar to what KiatoGS has described but instead of directing them to a phishing page for one website, I have been redirecting them to a spoofed "Android Security Update" page where my server of AndroRat is downloaded. I have it set up in mobile format and if a standard browser opens it, they will be redirected to Google. I have been quiet successful doing this and haven't even crypted my server. I guess most people think they don't need an AV on their phone.. As far as the Metasploit/Armitage attack goes.. I attempted this and it was just too much of a hassle. I would rather have something I can automate. BUT my pineapple is acting up again, have to see about getting a replacement be for any more research can be done.. :(

Edited by JackChitt
Link to comment
Share on other sites

Yes I am using a N to SMA adapter. Okay let me explain myself a little better. Most all android apps keeps the user authenticated unless the user restarts the phone or kills the app via app manager. So even if the user connects to my network I will never see there creds no matter how much they use the app. I am asking if there is a way I can de-authenticate android apps so when it is reopened it will either ask for their info to log in or will authenticate like the app was freshly started.

I was being lazy yesterday and wanted to play with my pineapple but didn't feel like going anywhere. I have a pretty extensive wireless set up for my home that consist of a pair of 24dbi grid antennas for my own personal internet requirements. So I thought, "I wonder what would happen if I connected my pineapple's broadcasting end to it along with an amplifier I bought years ago to try to extend my wireless cards range." (epic fail) So I set everything up for data collection, kicked on karma and let her rip. I got a little side tracked watching tv and playing xbox. About a hour and a half later I decided to check it out, not expecting much.. I had 23 clients connected and I'm collecting all their credentials!! Best of all, it's mostly people I know and neighbors. I am still running it as I type this thread. The most clients I have seen at one time was 56. I don't live in a big city or anything but I am most satisfied with my results so far. I do have one problem though.. I would like to either block internet to android apps or find a way to de-authenticate them before they can be used when first connected to my network. Any ideas??

Could you expand on the type/brand of 24dbi grid antenna and amp you have? Been looking at purchasing and would appreciate any input.

Cheers,

~phu

Link to comment
Share on other sites

In my expirience this seems the only way. Spoofing all traffic (172.16.42.1 *) will not let the app connect to it's servers wich will lead the app to show a "No Internet Connection"(even if the pineapple IS connected). After that 80% of the victims will try to use their browsers to check the internet connection and there is where your phishing page will appear.

How do u do that? Opening only sorters ports? DNS spoofing? Or phishing ?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...