20170706

Configuring Kismet for the Hak5 Wifi Pineapple Nano from Factory Reset

Just documenting some steps and gotchas ... tired of having notes in three different places and fighting through it every time 

[*] REFERENCES

- Firmware
https://www.wifipineapple.com/downloads

- Set-up script
https://github.com/hak5darren/wp6.git

[*] GEAR
- HAk5 Wifi pineapple nano - firmware version 1.1.3
- GPS dongle - Model Number - BU-353S4
- Kali (2.0 rolling) running on host laptop

[*] INITIAL SET-UP
- Wifi Pineapple Nano is disconnected
- GPS dongle is disconnected
- Boot up Kali 2.0 host laptop
- Open terminal window
- Run the wp6.sh script from the Hak5 github repository
>./wp6.sh
---> choose "G" for guided
---> verify that the correct internet interfaces are chosen for internet access on the laptop
---> connect wifi pineapple when prompted
---> choose "C" to apply settings and exit
- After running the script, the IPs for the host and Wifi Pineapple Nano are:
---> Kali 2.0 - 172.16.42.42
---> Wifi Pineapple Nano - 172.16.42.1

[*] INSTALLING GPS PACKAGES ON THE Kali 2.0 HOST
- Install the following packages on the Kali 2.0 host
> apt-get install gpsd
> apt-get install gpsd-clients
> apt-get install libgps-dev
> apt-get install libgps22

[*] VERIFY ROUTING TABLE ON THE KALI 2.0 HOST
- Verify that the routing table on the host resembles the example below:
> route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.254.254 0.0.0.0         UG    0      0        0 wlan0         <--- Routes connections to the internet
172.16.42.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1           <--- This is the IP assigned to the host by the Wifi pineapple nano via the USB ethernet adapter. The Nano provides DHCP and DNS.
192.168.254.0   0.0.0.0         255.255.255.0   U     600    0        0 wlan0    <--- Local network that the host laptop is connected to

[*] CONFIGURING THE WIFI PINEAPPLE NANO VIA THE BROWSER FROM THE KALI 2.0 HOST
- Browse to http://172.16.42.1:1471
- Choose values for the following
---> administrator password
---> management SSID
---> SSID PSK/passphrase
- Close browser

[*] ACCESS AND UPDATE THE WIFI PINEAPPLE VIA SSH
> ssh root@172.16.42.1
- Stop the Pineapple GUI as is wastes resources and it will not be used
> /etc/init.d/nginx stop
- Update all packages
> opkg update

[*] VERIFY ROUTING TABLE ON THE WIFI PINEAPPLE
- This is important as it allows clients that connect to the Nano to be routed back out to the internet through the Kali host once we have our way with them 
> route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.42.42    0.0.0.0         UG    0      0        0 br-lan        <--- Routes connections to the internet from the Wifi Pineapple Nano through the Kali 2.0 host @ 172.16.42.42
172.16.42.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan    <--- Local network that was created by the Wifi Pineapple Nano

[*] INSTALL KISMET TO THE WIFI PINEAPPLE NANO SD CARD
- Install kismet client and server
- Check to see if it is already installed
> opkg list-installed|grep kismet
- View available packages
> opkg list|grep kismet
- Install client and server
> opkg --dest sd install kismet-server
> opkg --dest sd install kismet-client

[*] CONFIGURING KISMET ON THE WIFI PINEAPPLE NANO
- Download manufacturer list
> wget -O /sd/manuf http://anonsvn.wireshark.org/wireshark/trunk/manuf
- Verify that the Kismet_client is located in /sd/usr/bin/kismet_client
- Verify that the Kismet_server is located in /sd/usr/bin/kismet_server
- Create a kismet.conf file and place it in /sd/etc/kismet.conf
- CHECK: make sure that the kismet.conf file points to the manufacturer list located at /sd/manuf
- CHECK: verify that the gps choice is gpsd
- CHECK: when the kismet_client is started it will automatically call the server. However, it calls it at /usr/bin/kismet_server. Unless a sym link is created the Kismet server will error out
- Create sym link
> ln -s /sd/usr/bin/kismet_server /usr/bin/kismet_server
- CHECK: a sym link also needs to be created for for the kismet.conf file
- Create sym link
> ln -s /sd/etc/kismet/kismet.conf /etc/kismet/kismet.conf

[*] OPTIONAL Install GPS packages directly on the Wifi Pineapple Nano SD card
> cd /sd
> wget https://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/packages/libgps_3.7-1_ar71xx.ipk
> wget https://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/packages/libgpsd_3.7-1_ar71xx.ipk
> wget https://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/packages/gpsd_3.7-1_ar71xx.ipk
> wget https://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/packages/gpsd-clients_3.7-1_ar71xx.ipk
> opkg --dest sd install libgps_3.7-1_ar71xx.ipk
> opkg --dest sd install libgpsd_3.7-1_ar71xx.ipk
> opkg --dest sd install gpsd_3.7-1_ar71xx.ipk
> opkg --dest sd install gpsd-clients_3.7-1_ar71xx.ipk
> wget https://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/packages/kmod-usb-serial-pl2303_3.3.8-1_ar71xx.ipk
> opkg install kernel kmod-usb-serial-pl2303_3.3.8-1_ar71xx.ipk

[*] START GPSD ON THE KALI 2.0 HOST
- Connect GPS dongle to the Kali 2.0 host laptop
- Start gpsd
> gpsd -G -D 5 -N -n /dev/ttyUSB0
-G ---> listen on all interfaces
-n ---> don't wait for a client to connect
-N ---> don't daemonize
-D ---> set debug level @ 5 
- verify that GPS signal is being received. NOTE: There should be lots of activity in the terminal. Wander around a bit and you should see it grab a lat/long and display it in the cgps terminal window
> cgps
> gpsmon

[*] START AND RUN KISMET ON THE WIFI PINEAPPLE NANO
- Place the interface in monitor mode. This may be different depending on your set-up. For me it was wlan1.
> ifconfig wlan1 down
> iwconfig wlan1 mode monitor
> ifconfig wlan1 up
- Verify the configuration
> iwconfig wlan1
wlan1     IEEE 802.11bgn  Mode:Monitor  Frequency:2.412 GHz  Tx-Power=20 dBm   
          RTS thr:off   Fragment thr:off
          Power Management:off
- CHECK: To avoid running out of space, it helps to start kismet from within the /sd/kismet directory. This is where it will store the pcap files.
- Run the kismet_client
> kismet_client
- Allow it to automatically start the kismet server
- There may be other notices to click through
- Add the wlan1 interface when prompted

[*] NAVIGATING KISMET
- Hit "~" to enter into the Kismet menu
- The arrows keys can now be used to move within the menu
- Be sure to sort by anything other than "Autofit" to drill down into individual networks
- The "!", ".", or blank next to each network is a decay indicator.
---> ! recent activity
---> . less activity
---> <blank> no activity
- Highlight network and press <enter> to see more data about the network

20150625

Enumerating Windows Domains with Powershell: DomainEnum v0.1.0

REPO:  https://github.com/pjhartlieb/post-exploitation/tree/master/powershell/DomainEnum

======================================
|
|    p.j.hartlieb
|    powershell post-exploitation
|    DomainEnum module v.0.1.0
|    2015.06.24
|    last verified 2015.06.24
|
======================================

[*] references

## [0] Reference: https://www.veil-framework.com/veil-powerview/
## [1] Reference: http://technet.microsoft.com/en-us/library/ff730967.aspx
## [2] Reference: http://msdn.microsoft.com/en-us/library/system.directoryservices.directorysearcher(v=vs.110).aspx
## [3] Reference: http://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry(v=vs.110).aspx

[*] background

The DomainEnum module is intended to support post-exploitation activities from within the user context on the target domain. It will enumerate domain computers, servers, users, emails, groups, group membership(s), sites, subnets, and subnets per site and save the results to one or more files. Whenever possible it will also enumerate computers, servers, users, groups, and group membership per OU. It's really intended to establish situational awareness once you drop onto "patient 0" and set you up to make the most of who you pivot to.

This module was created and tested with:
 Windows Powershell 2.0
 Windows 7 Professional SP1

[*] requirements

- n/a

[*] execution
- Create the following directory structure %USERPROFILE%\documents\windowspowershell\modules\DomainEnum
- Load the contents of the 'DomainEnum' directory into the new directory
- Open terminal
- Type
 >powershell -ExecutionPolicy Bypass -
 PS>import-module DomainEnum
 PS>get-command -module DomainEnum
- All output will be posted to C:\Users\Public\

[*] functionality

- Get-Homebase   identify DC and target domain
- Get-Pedigree   returns baseline information from the target host (patient 0)
- Get-Computer   returns all computers in the current domain
- Get-DC   returns the DCs and PDC for the current domain
- Get-Group   returns all groups in the current domain
- Get-GroupUser   returns all users in each group for the current domain
- Get-Server   returns all servers in the current domain
- Get-User    returns all users in the current domain
- Get-Email    enumerate all email for all users in a domain.
- Get-OU    returns all OUs in the current domain
- Get-OUUser    returns all users for each OU in the current domain
- Get-OUServer    returns all servers for each OU in the current domain
- Get-OUGroup    returns all groups for each OU in the current domain
- Get-OUComputer   returns all computers for each OU in the current domain
- Get-SiteServer   returns all servers for each site in the current domain
- Get-SiteSubnet   returns all subnets for each site in the current domain
- Get-GroupMember  enumerate all users in a specific group in the current domain
- Get-HighValueGroup  locate high value groups, enumerate users, harvest email addresses
- Get-DomainDump  returns all data from all functions

[*] thanks
- Lucius for helping to find those unholy syntax errors and figuring out to get it to execute hassle free.

20131111

yeyo.pl : Quickly harvest user data for a specific organization or keyword

#REFERENCES

[1] http://www.blackhatlibrary.net/Security101_-_Blackhat_Techniques_-_Hacking_Tutorials_-_Vulnerability_Research_-_Security_Tools:General_disclaimer <---- I borrowed content from here for the disclaimer below.

#BACKGROUND

This script is intended to quickly and easily generate contact information for a specific keyword or organization based on the content returned from www.yatedo.com.  From what I can gather, Yatedo sources its information from publicly available resources on the web and concatenates it all together to present a reasonably accurate user profile.  There is no API and parsing the html seems straightforward.  If you are one of those folks who operates multiple puppet accounts on social media networks (which is a gross violation of the ToS and is not recommended) then this is a good way to whip up some seed accounts to connect with and/or pivot from.  The output is csv formatted as:

First Name, Last Name, Organization, Role

#DISCLAIMER [1]

This script violates the ToS for www.yatedo.com and may get you banned.  This script is intended for educational purposes only.  I will not be held liable for a third party's use (or mis-use) of this information in any way.  Readers, end-users, and downloaders of content are responsible for their own actions.  Readers, end-users, and downloaders of content agree not to use content provided for illegal actions.  Content is provided as an educational resource for security researchers and penetration testers.

#THE SCRIPT

[*] https://github.com/pjhartlieb/recon-and-mapping/blob/master/yeyo.pl

## caveats
- I am not a programmer.  This script is not nearly as tight and clean as it could/should be.
- Improvements and TBD tasking is captured at the top of the script

## usage
> perl yeyo.pl -k <keyword or organization> -s <sleep time between harvesting contact data>

### output

> perl yeyo.pl -k "benchmade" -s 5

[*] Validating keyword/organization ...
[*] Validating sleep time ...
[*] Keyword entered "benchmade".
[*] Sleep times will be between 0 and 5.

[*] Retrieving frontpage for www.yatedo.com
[*] Yatedo appears to be up
[*] Sleeping for 2 seconds to avoid lockout

[*] Submitting search for benchmade
[*] Search successful. Content retrieved
[*] 20 unique links to users and additional results pages were found on the first page
[*] Cummulative results are here: http://www.yatedo.com/s/companyname%3A((benchmade))/normal
[*] Sleeping for 0 seconds to avoid lockout

[*] Retrieving cumulative results for benchmade
[*] Successful. Content retrieved
[*] 16 Links to users found
[*] 1 Links to additional results pages found

[*] Harvesting user data with sleep times between 0 and 5 seconds between records

[*] 11 suitable users found to date

[*] Retrieving target URLs from results page 2
[*] Successful. Content retrieved
[*] 12 Links to users found
[*] 0 Links to additonal results pages found

[*] Harvesting user data with sleep times between 0 and 5 seconds between records

[*] 11 suitable users found to date

[*] candidate user list

Chuck,Alf,Benchmade of Buffalo,Owner
Lyudmila,Ezersky,Benchmade Inc., Benchmade...,Human Resources Administrator
Dan,Janovicz,Benchmade Knife Company,Manufacturing Engineer
Vance,Collver,Benchmade Knife...,Product Development Manager, Process Development Technician,...
J. DENNIS,BURKE,BENCHMADE CLOTHIERS...,Owner
Enzo,Cardillo,Benchmade Leatherworks Inc.,President
Martin (Marty),Mills,Benchmade Knife Company,Manufacturing Engineer
Dillon,Daniel,Benchmade Knife Company,undef|past-role
Kathryn,Delaplain,Benchmade Knife Company,...,Customer Service, Warranty Repair Manager, Multiple
Joe,Verbanac,Benchmade Knife Company,...,Marketing Manager, Sr Art Director
Zack,Hilbourne,Benchmade Knife Company,...,Design Engineer, Mechanical Designer


#FUTURE WORK

I would like to port this over to python and share it with the recon-ng community.  Hopefully, folks will find it useful.

20131018

Passive Recon: Collapsing your target's wavefunction.

We recently had the opportunity to speak with the fine folks at the Charleston ISSA.  We had a great time and are thankful for the opportunity.  The abstract is included below.  The link is provided at the bottom.


Abstract

Title: Passive Recon: Collapsing your target's wavefunction.

An open and accurate accounting of the available intelligence for an individual, organization, or business is typically an undervalued component of both offensive and defensive information security activities. From the defender.s perspective, it is important to understand how the source, content, and fidelity of publicly available data can affect the overall security posture of the organization. For the attacker, the gathering and analysis of publicly available data, which often includes usernames, emails, hostnames, subnets, technologies deployed, new product initiatives, employee habits, hobbies, and relationships, will provide actionable intelligence products that can be leveraged to gain a foothold in the target organization and provide the foundation for a successful attack. This presentation will cover intelligence sources, gathering and analysis methods, and the supporting toolset. Individual use cases will highlight how a specific piece of information can be developed into an actionable intelligence product that can then be incorporated into a larger attack plan. This presentation also provides suggestions for limiting, detecting, and mitigating against the information that is made available to the public.

Presentation is here

20130927

Generating email addresses from a non-uniform list of usernames

#REFERENCES

[*] http://ha.ckers.org/fierce/  <------ helped me to figure out how to provide command line options

#BACKGROUND

I've been fortunate enough to be able to do full time pentesting for about the last year.  For each engagement, a good deal of my time is typically spent doing passive reconnaissance and mapping of the target organization.  The objective for this phase has always been the creation of actionable intelligence products that can support later phases of the engagement and more or less provide the foundation for a successful test.  For whatever reason (most likely inexperience), I've always been more successful building out a target list of individual users/usernames vice individual emails.  The username format is typically all over the map since the resources they're pulled from are scattered far and wide.  I needed a quick way to generate candidate emails in the event that I had incomplete information or was unsure of the final format for the email address.  I created a small perl script to accomplish the task.  Armed with the list, the tester may choose to phish the entire list regardless of whether or not the address exists and play the percentages.  Alternatively, this list may be used together with one or more smtp enumeration techniques; the end product being a list of clean and verified email addresses.

#THE SCRIPT

[*] https://github.com/pjhartlieb/recon-and-mapping/blob/master/genmail.pl

## caveats
- I am not a programmer.  This script is not nearly as tight and clean as it could/should be
- I have not attempted to incorporate every regex for every email format that a tester may come across
- Improvements and TBD tasking is captured at the top of the script

## usage
> perl email_generation_v003.pl -d <target domain> -f <username list>

### output
>  cat test.txt
Philip Hartlieb

>perl email_generation_v003.pl -d foo.com -f test.txt

[*]    File name entered "test.txt"

[*]    Target domain "foo.com"

[*]    File exists.

[*]    Executing.

[*]    Domain appears to be formatted correctly. Proceeding

[*]    The number of candidate usernames in the base array is: 1

[*]    The number of usernames converted to the "first.last" format is: 1

[*]    The number of usernames converted to the "first.mi.last" format is: 26

[*]    The number of usernames converted to the "LastFiMi" format is: 26

[*]    The number of usernames converted to the "FiMiLast" format is: 26

[*]    The number of unique email addresses generated is: 160

[*]    All emails written to "email_enumeration.txt"

[*]    Have a nice day

> cat email_enumeration.txt

----------------------snip----------------------
Philip.Hartlieb.civ@foo.com
Philip.r.Hartlieb.civ@foo.com
Philip.l.Hartlieb.ctr@foo.com
Philip.z.Hartlieb@foo.com
Philip.u.Hartlieb@foo.com
Philip.b.Hartlieb.civ@foo.com
HartliebPp@foo.com
Philip.p.Hartlieb.mil@foo.com
HartliebPc@foo.com
Philip.w.Hartlieb.ctr@foo.com
Philip.a.Hartlieb.civ@foo.com
PrHartlieb@foo.com
Philip.o.Hartlieb@foo.com
Philip.n.Hartlieb@foo.com
HartliebPi@foo.com
Philip.p.Hartlieb@foo.com
Philip.u.Hartlieb.mil@foo.com
Philip.a.Hartlieb@foo.com
Philip.f.Hartlieb@foo.com
Philip.u.Hartlieb.civ@foo.com
PyHartlieb@foo.com
HartliebPe@foo.com
Philip.g.Hartlieb@foo.com
HartliebPx@foo.com
Philip.y.Hartlieb@foo.com
Philip.f.Hartlieb.ctr@foo.com
HartliebPy@foo.com
HartliebPv@foo.com
Philip.f.Hartlieb.mil@foo.com
Philip.z.Hartlieb.mil@foo.com
Philip.t.Hartlieb.ctr@foo.com
Philip.t.Hartlieb.mil@foo.com
Philip.q.Hartlieb.ctr@foo.com
Philip.t.Hartlieb@foo.com
PgHartlieb@foo.com
Philip.e.Hartlieb.mil@foo.com
Philip.p.Hartlieb.ctr@foo.com
Philip.d.Hartlieb.civ@foo.com
Philip.c.Hartlieb@foo.com
Philip.u.Hartlieb.ctr@foo.com
Philip.h.Hartlieb.ctr@foo.com
Philip.g.Hartlieb.mil@foo.com
----------------------snip----------------------

The regex and final formatting can be changed as needed.  I've heavily commented the code to make this a bit easier.