Monday, 23 December 2013

Access point + beef server + amazon cloud

I wanted to explore the idea of getting devices to automatically connect to my access point. Once connected, they are able to browse as normal, but certain sites trigger a redirect to my apache page. I thought initially to set up a web portal for this purpose, and have everyone redirected to this page before being able to access the internet. At this point I could hook browsers. I ended up doing it a different way and use dnsmasq to redirect specific sites.

So what happens is a user types in a certain address, and dnsmasq redirects them to my apache server. I have it wait for 20 seconds until I hook the browser, then they get redirected to another fake page hosted on the cloud. ( JUST TO NOTE THIS WAS ALL DONE FOR RESEARCH PURPOSES ON MY OWN NETWORK).



Heres the access point script I set up. Note the airbase-ng -P option which basically makes it respond to all probes from devices. The -y means it won't respond to broadcast probes so as to limit its work load. The -C20 relates to how long the probes are sent out. For instance a device sends out a probe for homeWifi. My access point will see this and send out probes saying 'thats me :)' for 20 seconds.

Beef server comes with an option to autostart certain modules. This can be achieved by editing the modules and adding in 'autostart: true' to the config.yaml file. Not all modules work so you can experiment to see which ones do start.

Once the access point and beef is up and running you can try to see if users are being hooked. You have to edit your dnsmasq.conf file to add in the websites you want to spoof. I actually made a separate dnsmasq.hosts file where I add in my pages.
An easy way to get a copy of a page from the web is to use for instance: wget http://www.facebook.com -O test2.htm.
This is what I hosted on my apache server and added in a beef hook to get browsers on my beef server. I also autostarted an invisible iframe to try and keep the browser hooked.. I have the apache page stall for 20 seconds before redirecting the user to my server on the cloud.

Its been fun to mess around with beef server, and have different modules autostart. I'd like to expand on this and look into the metasploit modules that can be integrated into beef. Particularly focusing on getting a meterpreter session on a mobile device. Using my phone as a client I have managed this by directing the iframe to a reverse_tcp payload. It seems once the session is opened, any subsequent commands are not recognized in the meterpreter session. Unknown command shows up. I have to try and fix this.





Thursday, 7 November 2013

Raspberry web interface for scripts

After getting some of my scripts working, I wanted to be able to turn them on via a web interface. I've made a very basic interface to turn on the scripts. Its not going to win any design awards, but it does what I want for the momment. I might add some features to it later.

My OS does come with apache installed but I reckon this might hog resources, especially as I may be running kismet at the same time. Enter lighttpd. I think it runs as one process and has way less overhead.

apt-get install lighttpd

You have to edit some things in lighttpd.conf before you have it up and running.
path: /etc/lighttpd/lighttpd.conf
Now in order to get Python and bash working we need to enable cgi
add in "mod_cgi",

From trying out my web gui it seems the default www-data user doesn't have permissions set to initiate scripts, even if you modify the sudoers file to give permissions, you'll still run into problems. I've added the user root to make sure they do run. Of course this is not exactly secure running scripts as root from a web application! But it gets it working. Well not quite.. lighttpd have added in a security net to stop you adding root user..
You have to actually modify the source files to get around this, recompile and then replace the lighttpd file with the original.
Manually install lighttpd and download the tar file.
Heres a good step through: guide
Heres the link to the download: download page
From there jump into the src folder and look for server.c file. Now we have to edit an if statement that stops you being root user.
I just deleted the two if statements which stopped uid and gid being 0 (root).
Now you can save the file and run the installer. Afterwards you need to copy the created lighttpd file which you will use in a fresh install of lighttpd. Save it to your desktop.
Now apt-get install lighttpd.
We just need to replace our modified lighttpd file with the freshly installed one.
Head to usr/sbin and look for the lighttpd file. Replace it with your modified lighttpd file.

Here is my modified lighttpd.conf file where I added root as user.

Also at the end of the file add this so it knows where to look for python and bash so we can run scripts.


Now create a folder where you will hold all your scripts to run:
Head to /var/www and create a new folder, mkdir cgi-bin

Now pile all your scripts into cgi-bin and your ready to make a web page that will call them.

I made my test page in /var/www and called it test.html


Heres the page:

Now I can browse to my pi address i.e http://192.168.43.15/test.html

If you want lighttpd to start on boot so you can jump into the web interface,
head to etc/rc.local
add in : service lighttpd start
Now it will start on boot. Yippee

Wednesday, 6 November 2013

Raspberry pi fake access point


I was messing around with creating my own access point script with sslstrip, airbase-ng, dhcp-server etc. The idea is that I can run the script from my ssh session via my phone. I wanted to tail the sslstrip and see the results as they came in. The problem arose when I started airbase-ng it would just hang and not follow through with the rest of the script. Thats when I discovered screen. Im sure there may be better ways to tackle this but this solution worked for me :)
I found that if I started 4 seperate screen sessions and then in my script, specify commands to send to these screens using screen -p 2 -X stuff 'airbase-ng -e Wifi -c 9 mon0 it worked. I can now jump to the different screens to see whats happening.
I've added in a quick command with tshark to record http.post and http.get on at0. It then records to a file.

You can jump between windows by using ctrl + a, and then ctrl + window number
You can also check the currently open windows by using ctrl + a, then ctrl + w.
You'll see in the bottom left corner the open screens.
screen --help for more commands



I made a second script to stop everything.

Raspberry pi war drive

Recently I purchased a raspberry pi to motivate myself and jump into command line and bash scripting. I think the idea of using a raspberry pi alongside a security distribution such as kali interesting. There are no limits to what can be done, especially considering the size of the raspberry for concealment. I've started with a war driving project. Later I'd like to add a web interface and turn on and off features through my phone. Some of the equipment I used for this:
  • Raspberry pi B
  • Edimax wireless usb EW-7811U   
  • Alfa AWUSO36NH wireless usb
  • EasyACC Super 1200mAh portable charger
  • kali raspberry pi image 
  • 16gb sd card 
  • belkin hi-speed usb 2.0 4-port hub
  • GlobalSat BU-353 usb gps
  • Phone running wifi hotspot and ssh 
Equipment Used
Connect to the pi
I have setup my pi to connect to my wifi hotspot on startup. To do this,I edited the file interfaces: /etc/network/interfaces and added the following:
auto wlan0
iface lo inet loopback
auto wlan0
iface wlan0 inet dhcp
wpa-ssid "YourSSIDname"
wpa-psk yourGreatPassword

This works for me and it connects at each startup. Takes about 3 mins to connect. I use an app called juiceSSH to then ssh into my raspberry pi. I've tried a few and this one is really good. I'd recommend installing hackers keyboard as well. It gives you most of the keys you'd have with a regular keyboard and is great when your editing files, i.e using ctrl x etc.

Setting up gps
My gps was relatively straight forward to get working.
Once plugged in, check where the default gpsd is attached /etc/default/gpsd
Mine is on /dev/ttyUSB0
Its important to take note of this so you can get it working with kismet.
Use lsusb to check its showing up as connected.
If you want to check that your gps is working, use the command cgps -s. You should see some info popping up. 
I have a quick script that starts up gps and kismet. Im using pyglow to turn on led lights when its running so I know its working.

Kismet 
Kismet comes preinstalled on kali so you just need to edit the kismet.config file to get it working. /etc/kismet/kismet.conf
Find this section and edit the gpsdevice section to whatever your usb was listed as.
You can also do some other configurations like setting the specific wireless card driver and setting up a path to where you want your output file to be saved to. I have it saved to my Desktop. Also specify which usb your working from. i.e in my case I have the alfa plugged into wlan1.



Create kml file for google maps

The output file from kismet will be a .netxml. In order for it to display on google maps we need a .kml file. We can use giskismet for this and create a database.
To do this have a look at the possible giskismet commands : giskismet --help.
So the command to use is giskismet -x (your .xml file) -o .kmlFileNameYouWant
In my case I used:

Now a database is created with all the info, we can now filter what we want from it:
Looking at the giskismet --help file again, using a -q sql query we can use the command
giskismet -q "select * from wireless where Encryption='WEP'" -o MyWepMap.kml

This should create a MyWepMap.kml
Now upload it to google maps.

Click into my places

Now create with classic maps, and import your .klm file. Below are the filtered wep encryption networks..