Security student seeking help

[Jeliason]

Hello everyone!

I am a student at a community college and while my major is in Networking Technology, my main interests lay in cyber security. Unfortunately most of my education revolved around configuring Cisco devices, so everything I've learned outside of that has just been mostly on my own and for fun. 

Anyway the reason I am posting here is because I'm trying to put together a demonstration for the students here involved in the security certificate program at the college to demonstrate some of the dangers of open WiFi or even secure networks. I would appreciate any suggestions or links to resources anyone has regarding how to properly use this device.

I am currently able to set up my own WAP,  deauth clients from it and connect them to my rogue access point. From there I can run Dwall and see some traffic but only if it isn't HTTPS, which is rare now.

I was able to get Evil Portal working somewhat, but the templates I found through the forums aren't working right or I'm doing something wrong. The portal will show up and it will capture the credentials, but the client will see a page that will say "not authorized", then after refreshing the page it will say "authorized" and then you have to open a new tab/window to continue browsing, so it's suspicious.

I've tried to get SSLSplit and DNS2proxy working so I can MITM and bypass HSTS but I'm at a loss. I have them installed properly and am avoiding the SD card bug by using a USB SD card reader. I open multiple sessions of putty and run sslsplit in one window and dns2proxy in the other. I'm not fully understanding the output because it doesn't seem to be doing what I expected and I don't know how I'm supposed to use these tools to bypass HSTS. When googling around in some places I'm seeing people say these tools don't work any more and in others I'm hearing the opposite.

Randomroll works fine and will probably get a laugh so I will use that.

I have random times when the nano just doesn't work properly at all unless I reboot it several times. Clients won't connect properly or other weird unexplainable issues that go away after a reboot. Running some tools (SSLsplit in particular) seems to make it crash sometimes.

I don't yet understand what a lot of these tools do and I am unsure where to look.

How does the meterpreter module work? I have some cursory experience with the metasploit framework so if I could understand how to use that module better maybe I could do something that way. Does it allow me to MITM and then pivot into the network or what? Am I supposed to create a meterpreter payload and get a client to execute it, then connect to them? Does anyone have any suggestions on how I can go about doing/learning this?

Thanks for reading everyone.

[Zylla]

On 6.3.2018 at 10:14 PM, Jeliason said:

I've tried to get SSLSplit and DNS2proxy working so I can MITM and bypass HSTS but I'm at a loss. I have them installed properly and am avoiding the SD card bug by using a USB SD card reader. I open multiple sessions of putty and run sslsplit in one window and dns2proxy in the other. I'm not fully understanding the output because it doesn't seem to be doing what I expected and I don't know how I'm supposed to use these tools to bypass HSTS. When googling around in some places I'm seeing people say these tools don't work any more and in others I'm hearing the opposite.

Hi there!
I can give you some pointers regarding sslstrip+dns2proxy. (I reckon that's what you meant, right)?
The reason the success-rate is so low now is because most clients are updated against this attack.
When i say clients i mean the actual browsers, or the software that is generating the SSL traffic you want to catch.

Some clients are still vulnerable to the attack, so it's not in vain, just not 100% guaranteed  to succeed.

So my opinion (if you want to catch as much encrypted traffic as possible) is to use an embedded device with more power. Like the Raspberry Pi.
You can then run the exact same attacks if you will, or those with higher success-rate: (bettercap, mitmdump, etc.)

There is a way to get Bettercap running on your Nano/Tetra, but it's horrendously slow! (At least on the Nano.)
That's why i recommend using another device, with more CPU and RAM.

[Sebkinne]

4 hours ago, Zylla said:

There is a way to get Bettercap running on your Nano/Tetra, but it's horrendously slow! (At least on the Nano.)

That's why i recommend using another device, with more CPU and RAM.

The new bettercap should solve this :) 

[Just_a_User]

29 minutes ago, Sebkinne said:

The new bettercap should solve this :) 

say whaaaaaaaa???? :)  great news!

[Jeliason]

On 3/10/2018 at 10:57 AM, Zylla said:

Hi there!
I can give you some pointers regarding sslstrip+dns2proxy. (I reckon that's what you meant, right)?
The reason the success-rate is so low now is because most clients are updated against this attack.
When i say clients i mean the actual browsers, or the software that is generating the SSL traffic you want to catch.

Some clients are still vulnerable to the attack, so it's not in vain, just not 100% guaranteed  to succeed.

So my opinion (if you want to catch as much encrypted traffic as possible) is to use an embedded device with more power. Like the Raspberry Pi.
You can then run the exact same attacks if you will, or those with higher success-rate: (bettercap, mitmdump, etc.)

There is a way to get Bettercap running on your Nano/Tetra, but it's horrendously slow! (At least on the Nano.)
That's why i recommend using another device, with more CPU and RAM.

Yes that's what I meant actually, oops. I have played quite a bit with Raspberry Pi's so I could definitely try doing that, I was just hoping to make some use of my shiny christmas present :-) I don't even need to catch as much traffic as possible, I just want to demonstrate that open networks are a bad idea. Or is this less of an issue now? I just was under the impression that you shouldn't use an open network for anything sensitive without using a VPN. 

I forgot to mention I noticed in Probe requests I can see hidden SSIDs so I would demonstrate that. Are there any other simple things I can do to show things like this that are simple that the average user may not think of?

Where can I find out which clients are still vulnerable so I could set up a target? Or would this just be a matter of trial and error?

21 hours ago, Sebkinne said:

The new bettercap should solve this :) 

Is the new one what is currently available, or an upcoming release? - I will look into this.

 

Thanks for the replies.

 

[Jeliason]

Also next time I'm in the lab working I will take some screenshots of the issues I'm having with Evil Portal so I can better illustrate the problem I'm having.

[Jeliason]

Is there a way to edit my replies so I don't keep adding new ones?

I looked up bettercap - sounds very cool. Should I just use the existing tool from bettercap.org as it is through the CLI or is there a module in the works somewhere?

[Zylla]

21 hours ago, Sebkinne said:

The new bettercap should solve this :) 

I haven't tested the latest version on the Pineapples. It's been a while since i attempted to get it running. That's awesome :)
I didn't mean to sound disrespectful or anything against the Pineapples, it's just been my experience that alot of these "ssl-tunneling proxies" require alot of "juice".
I'm very impressed by the Pineapples, and it comes with alot of useful closed-source software unique to the Pineapples.
So if one is experienced with penetration testing, especially wifi-related stuff, the sky is the limit on the Pineapples! It's a beast :)

[marechok]

21 minutes ago, Zylla said:

I haven't tested the latest version on the Pineapples. It's been a while since i attempted to get it running. That's awesome :)
I didn't mean to sound disrespectful or anything against the Pineapples, it's just been my experience that alot of these "ssl-tunneling proxies" require alot of "juice".
I'm very impressed by the Pineapples, and it comes with alot of useful closed-source software unique to the Pineapples.
So if one is experienced with penetration testing, especially wifi-related stuff, the sky is the limit on the Pineapples! It's a beast :)

 

what is the problem with Bettercap ?? i cant install it .

@ Building linux/amd64 ...
./build.sh: line 58: go: command not found
du: cannot access '*': No such file or directory
 

[Zylla]

20 hours ago, marechok said:

what is the problem with Bettercap ?? i cant install it .

@ Building linux/amd64 ...
./build.sh: line 58: go: command not found
du: cannot access '*': No such file or directory
 

I still haven't tested the newest release, so i'm not sure what changes have been made.
But looking at the error-code, your're missing Go.
And probably alot of libraries... So i reckon one would need to manually cross-compile it using the SDK for OpenWRT.

[Foxtrot]

Don't try building it on the Pineapple, it's much easier to do it on a desktop.

Also, there are pre-compiled binaries for Bettercap in the Git repository.

Also also, as Bettercap is written in Go, compiling for MIPS is as simple as "GOOS=linux GOARCH=mips go build" on the command line.

[Jeliason]

I can't get bettercap to run at all. I downloaded the MIPS non-64 bit non-LE - I assumed this was the right one. I also tried all the others just to be sure but they don't work either.

Here's what happens - this is after I've unzipped the binary

 

root@Pineapple:/sd/bettercapdir# ls -al
drwxr-xr-x    2 root     root          4096 Mar 14 19:26 .
drwxr-xr-x   14 root     root          4096 Mar 14 19:25 ..
-rwxr-xr-x    1 root     root      17178180 Mar 13 17:08 bettercap
root@Pineapple:/sd/bettercapdir# ./bettercap
-ash: ./bettercap: not found
root@Pineapple:/sd/bettercapdir# bettercap
-ash: bettercap: not found
root@Pineapple:/sd/bettercapdir#

 

I tried adding to $PATH with export PATH="$PATH":/sd/bettercapdir: but that didn't help 

[Zylla]

1 minute ago, Jeliason said:

I can't get bettercap to run at all. I downloaded the MIPS non-64 bit non-LE - I assumed this was the right one. I also tried all the others just to be sure but they don't work either.

Here's what happens - this is after I've unzipped the binary

 

root@Pineapple:/sd/bettercapdir# ls -al
drwxr-xr-x    2 root     root          4096 Mar 14 19:26 .
drwxr-xr-x   14 root     root          4096 Mar 14 19:25 ..
-rwxr-xr-x    1 root     root      17178180 Mar 13 17:08 bettercap
root@Pineapple:/sd/bettercapdir# ./bettercap
-ash: ./bettercap: not found
root@Pineapple:/sd/bettercapdir# bettercap
-ash: bettercap: not found
root@Pineapple:/sd/bettercapdir#

 

I tried adding to $PATH with export PATH="$PATH":/sd/bettercapdir: but that didn't help 

Yeah, i also couldn't get it running.
Taking a quick look at the binary it seems to be compiled for Linux 3.x kernels. Not sure if that's the cause, or if we're missing some libraries, as no error messages was displayed.
I'll be looking deeper into it when i get time =)

[Jeliason]

23 hours ago, Zylla said:

Yeah, i also couldn't get it running.
Taking a quick look at the binary it seems to be compiled for Linux 3.x kernels. Not sure if that's the cause, or if we're missing some libraries, as no error messages was displayed.
I'll be looking deeper into it when i get time =)

Thanks anyway - in the meantime I'm going to just try running bettercap on Kali and see what I can accomplish that way