Page 4 of 6 FirstFirst ... 23456 LastLast
Results 31 to 40 of 56

Thread: Bruteforce attack useless

  1. #31
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    Had a look at squid and squirm and I think we are over doing it,

    Simplest way would just be a redirect to port 80 (apache) until an exploit happens,

    I would just have a static page that says so and so is out of date, you must upgrade by clicking this link..... embed link with exploit exe and thats it. and in the background have other exploits running too.

  2. #32
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    Hey guys, wondering if I could get a little help? Ive been working on making my karmetasploit AP transparent for a few days now and it is driving me nuts. The upside is ive learned a ton about how networks and things such as DNS and DHCP work, the downside is that they don't want to work for me!

    I am trying to get simple internet connectivity for the clients connected to my fake AP, let me illustrate.

    Client>>><<<Airbase AP>>><<<RealAP>>><<<Internet

    My client is an 1ghz pentium 256meg ram running xp unpatched with an old dell truemobile wireless b only card.

    My Airbase host is a Dell 1525, x2 2.0ghz core2duo, 3gigs ram, Intel 4965AGN internal wifi (wlan0), and ALFA 500mW USB with RTL 8187 chip (wlan1)

    My Real AP is a Netgear wireless AGN router with standard firmware connected to a comcast cable modem.

    I have tried a few different methods to get this to work, such as:
    Modifying the dhcpd.conf and using dhcpd as per the instructions on page 4.
    Using the DNSMasq program which BadKarma suggested here: http://forums.remote-exploit.org/showthread.php?t=17108
    Using brctl and bridging to simply forward packets from one MAC to another.

    Currently I have had the most luck with IPMASQ using a script from:
    http://tldp.org/HOWTO/IP-Masquerade-...EWALL-IPTABLES

    Here is the script without all the #crap from the website: START
    -----------------------------------------------------------------------------------------------------------
    #!/bin/sh
    #
    # rc.firewall-iptables
    FWVER=0.76

    echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n"

    #IPTABLES=/sbin/iptables
    IPTABLES=/usr/sbiniptables
    DEPMOD=/sbin/depmod
    MODPROBE=/sbin/modprobe

    EXTIF="wlan0"
    INTIF="at0"
    echo " External Interface: $EXTIF"
    echo " Internal Interface: $INTIF"

    echo -en " loading modules: "
    echo " - Verifying that all kernel modules are ok"
    $DEPMOD -a

    echo "----------------------------------------------------------------------"
    echo -en "ip_tables, "
    $MODPROBE ip_tables
    echo -en "ip_conntrack, "
    $MODPROBE ip_conntrack
    echo -en "ip_conntrack_ftp, "
    $MODPROBE ip_conntrack_ftp
    echo -en "ip_conntrack_irc, "
    $MODPROBE ip_conntrack_irc
    echo -en "iptable_nat, "
    $MODPROBE iptable_nat
    echo -en "ip_nat_ftp, "
    $MODPROBE ip_nat_ftp
    #echo -e "ip_nat_irc"
    #$MODPROBE ip_nat_irc
    echo "----------------------------------------------------------------------"
    echo -e " Done loading modules.\n"
    echo " Enabling forwarding.."
    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo " Enabling DynamicAddr.."
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr

    echo " Clearing any existing rules and setting default policy.."
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -F INPUT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -F OUTPUT
    $IPTABLES -P FORWARD DROP
    $IPTABLES -F FORWARD
    $IPTABLES -t nat -F

    echo " FWD: Allow all connections OUT and only existing and related ones IN"
    $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
    $IPTABLES -A FORWARD -j LOG

    echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

    echo -e "\nrc.firewall-iptables v$FWVER done.\n"
    ---------------------------------------------------------------------------------------------------------------------
    SCRIPT END

    Here is my method for arriving where I am.

    I start an airbase AP
    "airbase-ng -c 11 -e "TestWifi" wlan1"
    This starts airbase on my ALFA, I am just using it for testing right now so I omitted the -C -P and all that and made a basic AP

    I then set my new at0 interface
    "ifconfig at0 up"
    "ifconfig at0 192.168.1.1 netmask 255.255.255.0"
    I wasnt sure what I should set the ip of at0 to so I have tried multiple things such as 10.0.0.1 and 192.168.1.10 all with the same netmask."

    Then I run the rc.firewall-iptables script from the link above. The only modification I made to it was to set the location of iptables from
    "IPTABLES=/usr/local/sbin/iptables" to
    "IPTABLES=/usr/sbin/iptables"
    I also set all references to eth0 as wlan0 for my EXTERNAL interface and anything as eth1 to at0 for my INTERNAL interface.

    This seemed to solve the errors I got when it said that iptables commands didnt exist, and fixed my refernces to point to the correct interfaces.

    I then run the script and get this:
    "Loading simple rc.firewall-iptables version 0.76.."

    "External Interface: wlan0"
    "Internal Interface at0"
    "loading modules: - Verifying that all kernel modules are ok"
    ---------------------------------------------------------------------------------------------
    "ip_tables, ip_conntrack_ftp, ip_conntrack_irc, iptable_nat, ip_nat_ftp"
    ----------------------------------------------------------------------------------------------
    "Done loading modules."

    "Enabling forwarding.."
    "Enabling DynamicAddr.."
    "Clearing any existing rules and setting default policy.."
    "FWD: Allow all connections OUT and only existing and related ones IN"
    "Enabling SNAT (MASQUERADE) functionality on wlan0"

    "rc.firewall-iptables v0.76 done."

    So far so good, I then connect to the internet through my router with wlan0 and connect my client to my Airbase AP, and I get nothing. I can successfully connect my client to airbase, but it just black holes the client. I watched wireshark carefully and here is what I see.

    Wlan1 (ALFA) gets a lot of packets, most of it is just broadcasts and normal stuff.

    at0 gets packets only from clients connected to the Airbase AP, it also seems to be handling ARP requests and DHCP requests and assigning an IP address to the clients.

    wlan0 (Intel) Gets nothing, unless I try to browse from my Airbase PC then it gets normal traffic, but not a single packet makes it from at0 to wlan0 and vice versa.

    If anyone could help me get this working I would be incredibly grateful! Ive been working on this forever and it is driving me batty! If there are other simpler ways of achieving the same kind of function please let me know.
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

  3. #33
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    I'm still working on this, so my answer might not help.
    Try on the fake ap "route add default gw <ip of real ap>"
    If you can browse the web from the fake ap, you got as far as i have.
    One page back forgot the user but they said try route add -net <real ap ip>.

    Hope it helps

  4. #34
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    Quote Originally Posted by compaq View Post
    I'm still working on this, so my answer might not help.
    Try on the fake ap "route add default gw <ip of real ap>"
    If you can browse the web from the fake ap, you got as far as i have.
    One page back forgot the user but they said try route add -net <real ap ip>.

    Hope it helps
    I'm almost there with this, final stages to go through and I'll release a video plus all the commands and files I use

    Need to do the redirect script on demand and create a meterpreter exe bound to some other program. Looking towards the end of this week to have it complete and running


    edit:

    If we want to use airbase we cannot create a unencrypted network otherwise windows alerts the users that this is an unencrypted network, thus causing more suspicion therefore we use airbase-ng -0 ............ is this correct? Unfortunately I don't have a spare pc to demo on until later this week.

  5. #35
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    Im not sure if putting encryption on it is going to help, remember if you are using "airbase-ng -P -C 30" it should suck in any clients in range that have cached APs. Ive just been using my iphone for testing but the phone assumes that the fake AP is trusted and connects automatically.

    The only time it would make sense to put encryption on would be if you were targeting a specific client/AP and wanted to spoof the targeted AP completely.

    Basically it comes down to how much attention the target is paying to their connection.

    One other thing id like to start working on is integrating more function into the karma.rc. Id really like to get nmap to scan targets as they connect and start autopwning them. This is going to take time however, which is why its so important that they can surf the net while this is going on in the background.
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

  6. #36
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    Quote Originally Posted by Revelati View Post
    Im not sure if putting encryption on it is going to help, remember if you are using "airbase-ng -P -C 30" it should suck in any clients in range that have cached APs. Ive just been using my iphone for testing but the phone assumes that the fake AP is trusted and connects automatically.

    The only time it would make sense to put encryption on would be if you were targeting a specific client/AP and wanted to spoof the targeted AP completely.

    Basically it comes down to how much attention the target is paying to their connection.

    One other thing id like to start working on is integrating more function into the karma.rc. Id really like to get nmap to scan targets as they connect and start autopwning them. This is going to take time however, which is why its so important that they can surf the net while this is going on in the background.
    I've been trying to get my nokia n95 to connect but it doesnt, it gets an ip address but doesnt surt the net, i think it has to do with ipv6, anyone have a clue?

  7. #37
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    What do u guys think is best for post exploitation?

    Meterpreter allows scripting so we execute as soon as we get a connection

    I was thinking

    hashdump
    Grab Wireless keys
    Leave netcat/cryptcat

  8. #38
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    Quick update for those that are interested

    For Transparent Fake AP -- i.e user allowed to use the Internet. Some of you have had problems with the victim not being able to view webpages but can ping ip addresses. This is a DNS resolving issue. Redirect UDP port to your router instead, then it will work. Or you can be adventurous and create a dns server on your attacking machine.

    For Non transparent fake ap -- this is when you don't have a connection to the Internet but still want to redirect your users to a splash screen. You will need to either have a dns server running or use a dns poisoning program that will redirect any queries wherever you want.


    Progress made so far

    Able to create fake access point using airbase-ng
    Able to redirect user to splash screen at will
    Allow user to surf the internet if a connection is available.

    Fake access point is in the range of 10.0.0.20 to 10.0.0.50
    No need to recompile meterpreter.exe each time, can use 10.0.0.1,
    user is redirected to a exploit page --- exploit page can have meterpreter.exe or host of other exploits --- I am going for a simple page that displays -- critical update required, please download and run exe

    final stage left to do

    Write a script that does the following
    disable antivirus - script available
    hash dump
    install cryptcat for later use and modify reg to start automatically at reboot
    dump wireless keys --- can use wireless key dump unless someone has an alternative
    clear event logs
    log out


    edit --- fully succesful on a xp sp3 pc
    disable antivirus -- scripts work
    hash dump -- works
    dump wireless keys --- also working -

    still to do --- silent install of vnc and cryptcat for later use
    bind meterpreter.exe to another exe
    need to modify wirelesskeyviewer exe to bypass some av's

  9. #39
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Cl ass\{4D36E972-E325-11CE-BFC1-08002bE10318}\00010 or 00011 or 00012 then security(value encrypted
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Cl ass\{4D36E972-E325-11CE-BFC1-08002bE10318}\00010 or 00011 or 00012 then profile/wep/wpa(value clear text)

    lost the paper with radius and other wpa/wep

  10. #40
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    This is really great stuff, however I was wondering a about a few things in your setup hm2075.

    Im a complete linux networking newb so try to bear with my descriptions here. My question is basically, what method did you use to achieve transparnecy? My investigations have shown me that there are a few ways that could possibly work.

    The first and simplest way I tried was just bridging the interfaces at layer two. I was hoping that I could trick my AP into thinking that there was only one client and assign an IP to the at0 interface which would assign its own IPs to clients that connected on the subnet. My hope was that all the packets would just get pushed through both interfaces and just kinda work. While this might have worked on windows, in Linux it was a futile attempt.

    My next try was to use dhcpd.conf and assign ip addresses to clients that associate to my fake AP. I was able to do this, my snag came from trying to get the clients on my fake AP subnet to talk to my real AP subnet, and eventually make it out to the router. I tried fooling around with IPTables but I couldnt find any good information about achieving the functionailty I wanted, and I am still too newb to do it from the ground up.

    I also played briefly with DNSMasq, DNSMasq seemed to have all the functionality I needed, but once more I couldn't find any tutorials on doing what I wanted to do.

    I went out and got myself a few textbooks on basic and advanced networking in a Linux environment and am learning all this stuff from the ground up since it is knowledge I will need to have sooner or later anyway. I would just really like to know what method or programs you used to get transparency. I don't want to seem like a mooch since you have obviously been working on this for a while, but if you could point me in the right direction I would be grateful.
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

Page 4 of 6 FirstFirst ... 23456 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •