Jump to content

[Official] CursedScreech


sud0nick
 Share

Recommended Posts

6 hours ago, sud0nick said:

What browser are you using?  I've noticed that sometimes I have to click Send twice before it will actually send anything.  Still haven't figured out why, though.

I'm using Chrome. I already fixed it by entirely removing Cursed Screech and then reinstalling it back again.

Link to comment
Share on other sites

  • 4 months later...

Great work on these modules. Question for you. When I successfully deployed a payload and acquire my target, when I attempt to start Kuro, it will start but almost immediatley cleanup sockets and stop. Any ideas what i am doing wrong? Everything else works great. 

Link to comment
Share on other sites

@Dmanisit that could be caused by a number of problems.  It's hard to say exactly what the problem is but check the following things.

1. Make sure the network the target is on is reachable by the Pineapple (it's most likely on the Pineapple's network but just make sure).

2. The certificate info may be incorrect (either in the payload or in the Cursed Screech settings).  The payload needs to have a certificate that matches what Kuro expects to receive when attempting to connect.  The certificate presented by Kuro also needs to match what the target expects when it receives a connection.  If either side of the connection isn't trusted it will fail.

3. If neither of these works then send me a PM with more detailed information and screenshots of the module and payload code if possible.

Link to comment
Share on other sites

@sud0nick, I wanted to take a moment and thank you for your response. I know that it often goes unnoticed that you do this free of charge, so I appreciate the time you have taken to simply respond. When I get home this evening, I will take a look at your suggestions. I can say this, I followed your YouTube tutorial step by step multiple times in attempt to get this working. By the way, great tutorials! I too thought it was with the certs, but was not able to identify any issues. keep up the great work!

Link to comment
Share on other sites

@Dmanisit since you've been through the tutorial multiple times the issue may still be with the certs.  The thumbprints of the certs don't get updated in the settings of Cursed Screech until you explicitly select the cert and save the settings.  This means that if you hit a wall somewhere in the tutorial and decide to start over, starting with creating a new set of certs, you'll need to reselect the new certs you create in the settings of Cursed Screech (even if the cert names are exactly the same as the old pair).  I'm not sure if this is exactly your problem but it's happened to me before and I didn't catch it right away.

Edited by sud0nick
Link to comment
Share on other sites

I would love to create a basic payload, but not a programmer.  I tried to load VS 2013, but that became a mess. I installed VS 2017 community, but it doesn't look anything like the video tutorials.  

 

Any advice for a non-programmer techie with VS 2017 community would be greatly appreciated   I feel like I just need a couple of pointers in the right direction   

UPDATE: I figured it out.  I am a programmer now.  For some reason, Kuro won't stay running.  I will figure that out   

Too cool  

UPDATE2: All of my problems resulted from NAT instead of Bridged network on Victim VM.  Once I figured that out, there were a few finger fumbles that needed to be corrected.  Everything works great now!  Perfectly.  Two questions.  It looks like Microsoft.com and Google.com are getting through the captive portal.  Is that by design or a setting?  When I click a menu option on the Starbucks captive portal, it actually sends me to the active Starbucks site and to the page I selected. Shouldn't that be blocked?

 

 

 

Edited by Hamstah
Update
Link to comment
Share on other sites

  • 5 weeks later...

Hi @sud0nick

Following your turtorial and managed to get quite far. Amazing stuff so far and thank you for your insight and advice . 

I have run into 2 small issues . 

1) The download on the Captive portal references download/windows/None and not the actual EXE file which I ( amazingly enough managed to code with your handy tutorial) . Am not sure where to go to change the value from "None" in the url link to reference NetworkSecurityClient.exe . If I manually type this in, it downloads the file no problems. 

2) I seem to have a connection from my client PC ( Windows 10 Creators Update) to the Kuro Server. Output log shows: 

[>] Connecting to 172.16.42.157:61687
[+] Connected to 172.16.42.157:61687 via TLSv1.2

Any commands I try to send from Kuro however do not seem to be received or even sending.  I can see in your code that you have configured firewall rules so local Firewall shouldnt be an issue. I did however disable it and it made no difference. 

Error logs are empty so I dont have anything from those to share with you. Any insights appreciated. 

PS: My top tip for anyone looking for URLs for Captive Portals but finding most of them to be HTTPS based nowadays. Starbucks Wifi Url is now https . Go to Wayback Machine and look at some older versions of sites. Replace the https response link with http and copy and paste the entire URL into your module. 

Thanks for your time.

Regards

 

Link to comment
Share on other sites

I had to look through the videos to see what this module does.  Pretty cool.  It looks like it acts as light session manager for machines that have been hooked.  I could see this used for a pineapple left behind connected to an access to point to autosnare victims and track them.  You can come along later and connect and then use the control control to make inject your own framework agent like meta or Empire to interact fully with it.

I have some idea to add to all agents that can maybe expand it.  Right now I see your agent maybe using system calls you run command see that Powershell has to be used in front of the commands.  Have you though about adding a separate command or payload section that you can deposit scripts as modules and then you can call them from the control panel and the command to run them.

Python can run scripts that are delivered as strings.  You could have a section for payloads for python to store all your python modules that be sent and called to do stuff in python and for the C# one you can include in the agent the Automation class located in the GACs to internally run Powershell scripts in a runspace.  Now you can have a separate section for running modules.

Quote

My top tip for anyone looking for URLs for Captive Portals but finding most of them to be HTTPS based nowadays. Starbucks Wifi Url is now https . Go to Wayback Machine and look at some older versions of sites. Replace the https response link with http and copy and paste the entire URL into your module.

It doesn't copy https urls?  What are the difficulties it has with https sites.  Sets seem to be able to clone https pages fine.  Wonder what Setoolkit is doing to resolve this.

Link to comment
Share on other sites

3 hours ago, PoSHMagiC0de said:

It doesn't copy https urls?  What are the difficulties it has with https sites.  Sets seem to be able to clone https pages fine.  Wonder what Setoolkit is doing to resolve this.

It was something I noticed . Sites over https just refused to clone. So I switched to HTTP and had more success. Maybe (probably)  its my configuration :) Wouldn't surprise me !!

Edited by m0nk666
Link to comment
Share on other sites

@PoSHMagiC0de and @m0nk666 not sure if you're talking about SEToolKit or PortalAuth but PA can clone HTTPS sites easily.  Regardless this is the CursedScreech thread so I won't speak more on PA.

As for your issue m0nk, it's possible that a command got stuck in the buffer.  Kuro polls cmd.log (found in /pineapple/modules/CursedScreech/includes/forest/) for any commands that have been placed there.  It's rare, but I have seen commands just get stuck in there so any future commands that are added never get pulled in and sent to the target.  Try checking out that file and see if there is anything that needs to be cleared out.  Aside from that it's difficult to tell what the problem could be.  You may want to check Event Viewer on the Windows machine to see if anything has actively blocked the commands.

@PoSHMagiC0de are you talking about running those scripts locally on the Pineapple or sending them to the target so they can execute there?  If you want to execute scripts on the remote system you can upload it as a payload and send it to the target from CursedScreech.  Then, instead of selecting an EZ Cmd, you can type in what you want to execute on their system.

Link to comment
Share on other sites

Thanks for your input @sud0nick

i seem to have sorted things out now. HTTPS sites will clone. I need to ensure I don't have too many modules running at the same time on the Nano when I do this. Nano CPU can get quite busy !! I've noticed with some other modules ( sslstrip and mana) that using an SD card can be problematic. It seems the kernel has a fit now and again . So I've moved to a USB drive and mounted the ext4 partition  as the sd and also another partition as swap space. It really has helped with the stability on the nano when running python scripts . It may help some of the people on here as well. /root/portals/ is also a better bet for me. Once I clone a site, I copy it back and forth between sd partition and main partition. ( appreciate it's a bit of topic so I'll stop with the Portal Auth stuff on here)  

 

Currently looking at a tetra as it seems to have a bit more grunt and capability than the nano in terms of underlying HW. Really appreciate all your help, advice and video to get me started on all of this. It's been a real eye opener!! Keep up the amazing work. And maybe if you have some time, a payload written for an Android device would be interesting to understand as well. CursedScreech is amazingly versatile!! 

 

Regards

Edited by m0nk666
Link to comment
Share on other sites

  • 4 months later...
  • 1 month later...

I'm working on an update to this module that will add functionality to work with a new module I'm planning to write.  However, with the latest release of Papers I needed to update how this module interacts with the SSL store so I've pushed those minor changes to GitHub without changing the version number.  If you have the latest version of Papers please reinstall this module from my GitHub repo.  If you're cool with waiting a couple days I should have a pull request in to the pineapple modules repo by then that includes this update.

  • Like 2
Link to comment
Share on other sites

1 hour ago, Foxtrot said:

Just as a heads up, you must bump the version number before making a PR for the module repository.

Yep, I did.  Was just saying here that I wasn't ready to make an actual release yet so anyone who ran into a problem with the current version could still get it from my repo until I was ready to release the next version.  Luckily I found some time tonight to get it done and submitted the PR.

Link to comment
Share on other sites

  • 1 month later...

Hello sud0nick..

I really need u're help! 

I try everything to figure it out but i don't find nothing.

My problem is that the Kuro process start but after a while it close connection and stop.. 

[>] Connecting to 172.16.42.230:50275
[+] Connected to 172.16.42.230:50275 via TLSv1.2
[!] Kuro is ready
[!] Command sent to 172.16.42.230:50275
[!] Closing connection to 172.16.42.230:50275

I've check the:

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

And is right.

All certificate are right in place and also all the password.

 

can u help me pls? is about 2 days i try to figure it out.

thank you man! And really nice Job!!!

Link to comment
Share on other sites

My guess is the payload is crashing on the target system.  It could be related to .NET.  Can you check event viewer for logs or task manager to see if the payload is still running after the connection closes?  Also use netstat to check if the port the payload uses is still listening.

Link to comment
Share on other sites

8 minutes ago, sud0nick said:

My guess is the payload is crashing on the target system.  It could be related to .NET.  Can you check event viewer for logs or task manager to see if the payload is still running after the connection closes?  Also use netstat to check if the port the payload uses is still listening.

the payload still up if i start again kuro it can send other command but after that it close connection again.. I've checked the event but nothing.. Also i've check the connection with wireshark and is everything up.. 

Link to comment
Share on other sites

  • 3 months later...

I am using the Pineapple Tetra with a windows 7 PC (for both host and client). I followed every step of your latest tutorial. The only difference is that I first moved the NetCli.exe payload into the /download/windows directory before cloning the website using Portal Auth. The reason I did this is because it looks the latest version of Portal Auth allows you to directly pick the payload when cloning, instead of hardcoding into the HTML inject. Can you please confirm that my method is correct? Anyway, the main problem I am facing is when I have a client click on the 'Download Network Client' link. The file downloads fine (either by saving it first and then opening it or just directly running it) but as soon as the file actually opens and the button appears, I immediately get a windows error message indicating "SecureNetworkClient has stopped working". This error message pops up even before I get the chance to click on the generate access key button. I tried downloading the file on 3 different Windows 7 PCs and they all give me the same error. I even did a factory reset on the pineapple and attempted all the steps again, including recreating the payload on visual studio. Would really appreciate if you could help me out with this!

Link to comment
Share on other sites

Okay so I might have been able to figure out the error. I'm not sure if it is actually related but for this line: cs.startSecureServerThread("Payload.payload.pfx", "password") I changed "password" to the same password that I used when creating the payload certificate. Was I supposed to do this in the first place or does it not actually matter if the passwords are different? But now I have a new problem, when I click on the 'generate access key' button, nothing seems to happen? And if I click on it again or try to X out of it, the button ends up freezing and is 'not responding'. In the payload section, I can see that it was able to acquire my targeted machine and I can also see that the socket for it appears on the cursedscreech API.

Link to comment
Share on other sites

Okay so I figured out what the issue was. After taking a look at the InjectPHP for payloader, I noticed that there was supposed to be a 'keys' folder added to the directory: /pineapple/modules/PortalAuth/includes/pass/

After manually creating the keys folder using the cabinet module, I am now able to successfully generate an access key from the client. I am now facing a new problem that is very similar to Shadywriter's issue. I sent a Windows Alert through Kuro, it sent out the command but then when I close the popup from the target PC, Kuro immediately closes the connection. Now every time I try to start it up again, Kuro connects back but automatically resends the same command again. 

Link to comment
Share on other sites

On 2/13/2018 at 6:35 AM, shadywriter said:

the payload still up if i start again kuro it can send other command but after that it close connection again.. I've checked the event but nothing.. Also i've check the connection with wireshark and is everything up.. 

Were you able to solve this issue? I am facing the same situation right now and can't figure out how to fix it!

Link to comment
Share on other sites

  • 4 weeks later...

 

On 2/13/2018 at 6:35 AM, shadywriter said:

the payload still up if i start again kuro it can send other command but after that it close connection again.. I've checked the event but nothing.. Also i've check the connection with wireshark and is everything up.. 

I was finally able to find the solution! Apart from everything else I did above, you need to add the 'targetlogs' folder to the follow directory: /pineapple/modules/CursedScreech/includes/forest

It looks like for some reason the new firmware updates have been causing issues where the 2 folders (keys & targetlogs) do not get created automatically. Anyway, hope this helps!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...